> Inside the msg is the information logged by sshd regarding who, what, when, > where, and result. Uid is given because they have successfully identified > themselves to the system and its shorter. Going from uid to acct name is easy > and you never know when people change their name string causing lookup > errors. > > In the case where we log a message pre-authentication, you get acct since it > did not correlate to a uid.
I think it would be nice if the success message and the failure message had the same information, so acct in both cases if that's all we can get for the failure case. This is what we see now: type=USER_LOGIN msg=audit(1158674606.789:1503): user pid=10052 uid=0 auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255 msg='uid=0: exe="/usr/sbin/sshd" (hostname=16.116.117.213, addr=2.0.0.0, terminal=/dev/pts/3 res=success)' type=USER_LOGIN msg=audit(1158668540.641:1460): user pid=9595 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255 msg='acct=root: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=sshd res=failed)' Do you know why we often get an addr of 2.0.0.0? Also, why does terminal=sshd in the failure case? And are we not able to get the hostname and other info in that case? -- ljk -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
