Find the answer to your Linux question:
Results 1 to 7 of 7
Hi: What rules need to be set up for auditd to log every login attempt? The samples I've been able to find all show how to log changes to specific ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2012
    Posts
    4

    Question Use Auditd to audit login (success and failure)


    Hi:

    What rules need to be set up for auditd to log every login attempt? The samples I've been able to find all show how to log changes to specific files (such as /etc/group), but I can't find any that show how to log login attempts. Nor can I find examples of system calls, although the audit.rules examples do say that you can log specific system calls.

    Thanks!

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by klehman View Post
    Hi:

    What rules need to be set up for auditd to log every login attempt? The samples I've been able to find all show how to log changes to specific files (such as /etc/group), but I can't find any that show how to log login attempts. Nor can I find examples of system calls, although the audit.rules examples do say that you can log specific system calls.

    Thanks!
    Hi,

    Try the rules posted here.

    I could not test them on my RHEL 4.x box, b/c audit is broke on that distro, but if it doesn't work for you, post back and we'll try to help you.

  3. #3
    Just Joined!
    Join Date
    Oct 2012
    Posts
    4
    Thanks for the suggestion.

    The rules didn't generate any errors. But when I try to verify, I don't see any entries. Here's how I tried to verify:

    ausearch -ts today -k logins

    any other suggestions for how to test?

  4. $spacer_open
    $spacer_close
  5. #4
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by klehman View Post
    The rules didn't generate any errors. But when I try to verify, I don't see any entries. Here's how I tried to verify:

    ausearch -ts today -k logins

    any other suggestions for how to test?
    hmm...the ausearch command doesn't show my login attempts either. but aureport does. try that maybe.

    Edit:

    1. Forgot to ask, did you restart auditd after making changes?

    2. Try this ausearch command, it ended up working for me:

    Code:
    ausearch -ts today -m USER_AUTH
    Last edited by atreyu; 10-20-2012 at 03:12 AM. Reason: ausearch command

  6. #5
    Just Joined!
    Join Date
    Oct 2012
    Posts
    4
    Thanks, it turned out that system calls weren't enabled. So I added -e 1 to the audit rules. Now it's logging more than I want/need. Do you know how to tell it to ignore certain types of calls?

  7. #6
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by klehman View Post
    Thanks, it turned out that system calls weren't enabled. So I added -e 1 to the audit rules. Now it's logging more than I want/need. Do you know how to tell it to ignore certain types of calls?
    I was under the impression that auditd only logs what you tell it to log (i.e., what rules you add to audit.rules file or via the auditctl command). post your audit.rules, or the output of auditctl -l (that is a lower case L) and maybe someone here will be able to help you decipher it.

  8. #7
    Just Joined!
    Join Date
    Oct 2012
    Posts
    4
    Thanks for the suggestion and help. We've had to shutdown that server for other reasons. I'll visit again if I need more help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •