Use Auditd to audit login (success and failure)

**klehman** · 10-18-2012

Hi:

What rules need to be set up for auditd to log every login attempt? The samples I've been able to find all show how to log changes to specific files (such as /etc/group), but I can't find any that show how to log login attempts. Nor can I find examples of system calls, although the audit.rules examples do say that you can log specific system calls.

Thanks!

***atreyu*** · 10-19-2012

Originally Posted by klehman

Hi:

What rules need to be set up for auditd to log every login attempt? The samples I've been able to find all show how to log changes to specific files (such as /etc/group), but I can't find any that show how to log login attempts. Nor can I find examples of system calls, although the audit.rules examples do say that you can log specific system calls.

Thanks!

Hi,

Try the rules posted here.

I could not test them on my RHEL 4.x box, b/c audit is broke on that distro, but if it doesn't work for you, post back and we'll try to help you.

**klehman** · 10-19-2012

Thanks for the suggestion.

The rules didn't generate any errors. But when I try to verify, I don't see any entries. Here's how I tried to verify:

ausearch -ts today -k logins

any other suggestions for how to test?

***atreyu*** · 10-20-2012

Originally Posted by klehman

The rules didn't generate any errors. But when I try to verify, I don't see any entries. Here's how I tried to verify:

ausearch -ts today -k logins

any other suggestions for how to test?

hmm...the ausearch command doesn't show my login attempts either. but aureport does. try that maybe.

Edit:

1. Forgot to ask, did you restart auditd after making changes?

2. Try this ausearch command, it ended up working for me:

Code:

ausearch -ts today -m USER_AUTH

**klehman** · 10-23-2012

Thanks, it turned out that system calls weren't enabled. So I added -e 1 to the audit rules. Now it's logging more than I want/need. Do you know how to tell it to ignore certain types of calls?

***atreyu*** · 10-23-2012

Originally Posted by klehman

Thanks, it turned out that system calls weren't enabled. So I added -e 1 to the audit rules. Now it's logging more than I want/need. Do you know how to tell it to ignore certain types of calls?

I was under the impression that auditd only logs what you tell it to log (i.e., what rules you add to audit.rules file or via the auditctl command). post your audit.rules, or the output of auditctl -l (that is a lower case L) and maybe someone here will be able to help you decipher it.

**klehman** · 10-29-2012

Thanks for the suggestion and help. We've had to shutdown that server for other reasons. I'll visit again if I need more help.

Thread Tools

Display

Use Auditd to audit login (success and failure)

Posting Permissions