Le Wed, 04 Jun 2014 19:04:52 -0400, Steve Grubb <[email protected]> a écrit :
> On Thursday, June 05, 2014 12:42:39 AM Laurent Bigonville wrote: > > Le Wed, 04 Jun 2014 18:23:29 -0400, > > > > Steve Grubb <[email protected]> a écrit : > > > On Thursday, June 05, 2014 12:04:05 AM Laurent Bigonville wrote: > > > > On my machine with audit 2.3.6 the following call to aulast is > > > > only displaying the "reboot" pseudo-users and not the actual > > > > logins: > > > > > > > > ausearch --start this-month --raw | aulast --stdin > > > > > > > > Passing the "--bad" option to aulast, seems to correctly return > > > > the failed login attempt. > > > > > > > > Also, adding the login name to the aulast command doesn't seems > > > > to work at all even with the --bad option. > > > > > > > > OTOH, the aulastlog command seems to work as expected. > > > > > > > > An idea? > > > > > > Would this happen to be a system with a recent GDM and systemd? > > > If > > > > > > so, they are known to be messing up the audit trail. I am trying > > > to write a system validation test suite to spot issues like this. > > > If you look at gdm, its sending duplicate events. Systemd events > > > don't make it to audit all the time. Its a mess on the desktop > > > right now. > > > > Yes indeed I'm running gdm 3.12 and systemd 208. > > > > But I'm not seeing anything in aulast output when I'm login in on a > > tty. > > > > ausearch is however giving me this: > > > > bigon@fornost:~$ sudo ausearch -m ALL -ts 00:35|grep test > > type=USER_AUTH msg=audit(1401921359.577:1394): pid=15760 uid=0 > > auid=4294967295 ses=4294967295 > > subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 > > msg='op=PAM:authentication acct="test" exe="/bin/login" hostname=? > > addr=? terminal=/dev/tty1 res=success' > > type=USER_ACCT msg=audit(1401921359.577:1395): pid=15760 uid=0 > > auid=4294967295 ses=4294967295 > > subj=system_u:system_r:local_login_t:s0- s0:c0.c1023 > > msg='op=PAM:accounting acct="test" exe="/bin/login" hostname=? > > addr=?> terminal=/dev/tty1 res=success' > > You are missing a type=LOGIN event right here. If you do a "cat > /proc/self/loginuid" and its set to something besides -1, we have a > kernel bug. > Actually, my grepping was wrong, I'm seeing this the following line too: type=LOGIN msg=audit(1401921359.597:1397): pid=15760 uid=0 old-auid=4294967295 new-auid=1002 old-ses=4294967295 new-ses=66 res=1 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
