Printable View
Hi:
What rules need to be set up for auditd to log every login attempt? The samples I've been able to find all show how to log changes to specific files (such as /etc/group), but I can't find any that show how to log login attempts. Nor can I find examples of system calls, although the audit.rules examples do say that you can log specific system calls.
Thanks!
Hi,Quote:
Originally Posted by klehman
Try the rules posted here.
I could not test them on my RHEL 4.x box, b/c audit is broke on that distro, but if it doesn't work for you, post back and we'll try to help you.
Thanks for the suggestion.
The rules didn't generate any errors. But when I try to verify, I don't see any entries. Here's how I tried to verify:
ausearch -ts today -k logins
any other suggestions for how to test?
hmm...the ausearch command doesn't show my login attempts either. but aureport does. try that maybe.Quote:
Originally Posted by klehman
Edit:
1. Forgot to ask, did you restart auditd after making changes?
2. Try this ausearch command, it ended up working for me:
Code:ausearch -ts today -m USER_AUTH
Thanks, it turned out that system calls weren't enabled. So I added -e 1 to the audit rules. Now it's logging more than I want/need. Do you know how to tell it to ignore certain types of calls?
I was under the impression that auditd only logs what you tell it to log (i.e., what rules you add to audit.rules file or via the auditctl command). post your audit.rules, or the output of auditctl -l (that is a lower case L) and maybe someone here will be able to help you decipher it.Quote:
Originally Posted by klehman
Thanks for the suggestion and help. We've had to shutdown that server for other reasons. I'll visit again if I need more help.