TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Hi, The solution we use to audit SSH is to modify the audit flag of the SSHd process using the command auditconfig. We decided to set the audit flags to rs events. At first we audited more things but RealSecure auditreduce seems to only affect rs events. Consequently we had problem of size of logs who stopped the sensors. Brice --- Birk Richter <[EMAIL PROTECTED]> a �crit : > > It is not a problem of RealSecure. > It is a problem of BSM and SSH. > > In Solaris, the necessary initializing of the audit > for > processes is done by the Solaris System "login" > program > and only by the "login" program. > > The "login" program sets the Audit ID and the audit > pmask > for the user who is logging in. > > The default values for audit (Audit ID, pmask) are > NO AUDIT. > > Therefore, no activties for daemons are visible in > the > audit data. > > The SSH daemon has its own function for doing the > login job. > This function knows nothing about audit. > > Therefore, no activties for for SSH sessions are > visible > in the audit date. > > You can solve the problem by using SSH version 1.x.x > with > USELOGIN option. In with case, SSH uses for the > login job > the Solaris System "login" program. But only > interactiv > SSH session are visible. SSH version 2.x.x do not > has this > option. > > For full audit of SSH sessions you must patch the > SSHd code > with the necessary audit functions. > > Birk > ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en fran�ais ! Yahoo! Mail : http://fr.mail.yahoo.fr
