Comment 17 for bug 388746

This enables improved user session analysis. The audit logs can now be centrally aggregated and some regulatory statutes require companies to maintain them for a couple years. The utmp/wtmp files are not. The problem that this solves is that I can now determine which events belong to the same login session. If I get a bootup event, I now know that all the users in the system had their state changed to logged out since this would indicate a likely kernel oops. If I see a normal shutdown event without the users logged out, this is means that something terminated the session prematurely (dbus) and the user is now considered logged out. IOW, this helps to define boundaries around user sessions for analysis. There is a program in audit-1.7.9, aulast, that already uses these new events. In subsequent releases that tool will evolve into a session explorer tool.

Some of the newer security targets also require system bootup/shutdown in the audit logs.