Steve Grubb wrote: > On Wednesday 20 September 2006 12:58, Linda Knippers wrote: > >>>In the case where we log a message pre-authentication, you get acct since >>>it did not correlate to a uid. >> >>I think it would be nice if the success message and the failure >>message had the same information, so acct in both cases if that's >>all we can get for the failure case. > > > The audit system throughout has favored uids to names for compactness. Also > users can change their name but rarely their uid. In all the trusted apps, > the uid is more trustworthy since it has already been verified. > > >>type=USER_LOGIN msg=audit(1158674606.789:1503): user pid=10052 uid=0 >>auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255 msg='uid=0: >>exe="/usr/sbin/sshd" (hostname=16.116.117.213, addr=2.0.0.0, >>terminal=/dev/pts/3 res=success)' >> >>type=USER_LOGIN msg=audit(1158668540.641:1460): user pid=9595 uid=0 >>auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255 >>msg='acct=root: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=sshd >>res=failed)' >> >>Do you know why we often get an addr of 2.0.0.0? > > > I'd have to trace through the code and know about your network.
I don't think its related to our network. I noticed that Loulwa's example also had a 2.0.0.0 address. >>Also, why does terminal=sshd in the failure case? > > > I think the terminal isn't claimed until session open. > > >>And are we not able to get the hostname and other info in that case? > > > I'd have to look at the code. Patches are welcome... :) > > -Steve > > -- > redhat-lspp mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/redhat-lspp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
