<posted & mailed> Ok, when I try to login as testuser/[EMAIL PROTECTED], but testuser isn't allowed as sysam_r, I get:
type=USER_AUTH msg=audit(1170871741.978:4373): user pid=18653 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: authentication acct=testuser : exe="/usr/sbin/sshd" (hostname=alex.ltc.br.ibm.com, addr=127.0.0.1, terminal=ssh res=success)' type=USER_ACCT msg=audit(1170871741.982:4374): user pid=18653 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: accounting acct=testuser : exe="/usr/sbin/sshd" (hostname=alex.ltc.br.ibm.com, addr=127.0.0.1, terminal=ssh res=success)' type=USER_ERR msg=audit(1170871741.992:4375): user pid=18651 uid=0 auid=4294967295 subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 msg='PAM: bad_ident acct=? : exe="/usr/sbin/sshd" (hostname=alex.ltc.br.ibm.com, addr=127.0.0.1, terminal=ssh res=failed)' Note that, from the above, we can't tell that a user was trying to access an invalid context (and what context). Same thing happens when the user successfully logs-in using a non-default role/level - no audit record telling what kind of transition was made. In previous refreshes, we needed to use 'newrole' and both success and failures were audited as 'USER_ROLE_CHANGE' records. I must ask: is this the expected behavior and is this ok with the certification requirements? Klaus -- .:klaus h kiwi <[EMAIL PROTECTED]>:. -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
