RE: [Fed-Talk] Auditing using Common Criteria
RE: [Fed-Talk] Auditing using Common Criteria
- Subject: RE: [Fed-Talk] Auditing using Common Criteria
- From: "EXT-Traynor, Paul I" <email@hidden>
- Date: Mon, 17 Sep 2007 13:32:11 -0500
- Thread-topic: [Fed-Talk] Auditing using Common Criteria
Thanks very much. The proxy based on process ID will do the trick.
On a related note, what about logging of account lockout (NISPOM 8-602
(1)(f))?
We have verified that account lockout occurs as configured, but there is
no audit record of it that we can find.
-----Original Message-----
From: Todd Heberlein [mailto:email@hidden]
Sent: Thursday, September 13, 2007 7:51 PM
To: EXT-Traynor, Paul I
Cc: email@hidden
Subject: Re: [Fed-Talk] Auditing using Common Criteria
> We have checked the audit_classes file, and "lo" is present. We
> can see
> logon events, but no logoff events.
>
> Does anyone know if the system does record logoff events? If so,
> where?
Here is what I have discovered so far (I reserve the right to change
this as I gather more information):
(1) Remote logins via ssh generate both login and logout audit records.
(2) Logins from the console generates a login but *not* a logout record.
(2b) When the user who is logged in at the console logs out, the
process associated with the initial login record exits. So in effect,
the exit() of the login process serves as a proxy for a true logout
audit record.
For example, here is user "aheberle" logging in a console and then
logging out. The process ID = 93.
header,68,1,loginwindow login,0,Thu Sep 13 17:20:43 2007, + 159 msec
subject,aheberle,root,wheel,aheberle,aheberle,93,93,50331650,0.0.0.0
return,success,0
trailer,68
... lots of records ...
header,68,1,exit(2),0,Thu Sep 13 17:21:14 2007, + 103 msec
subject,aheberle,aheberle,aheberle,aheberle,aheberle,
93,93,50331650,0.0.0.0
return,success,0
trailer,68
I need to do some additional experiments, but this is what I
currently have. (side note: I audit with *everything* turned on).
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden