On Thursday, June 05, 2014 12:04:05 AM Laurent Bigonville wrote: > On my machine with audit 2.3.6 the following call to aulast is only > displaying the "reboot" pseudo-users and not the actual logins: > > ausearch --start this-month --raw | aulast --stdin > > Passing the "--bad" option to aulast, seems to correctly return the > failed login attempt. > > Also, adding the login name to the aulast command doesn't seems to work > at all even with the --bad option. > > OTOH, the aulastlog command seems to work as expected. > > An idea?
Would this happen to be a system with a recent GDM and systemd? If so, they are known to be messing up the audit trail. I am trying to write a system validation test suite to spot issues like this. If you look at gdm, its sending duplicate events. Systemd events don't make it to audit all the time. Its a mess on the desktop right now. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
