Re: [osol-help] Setting up a ssh log file ?

Wed, 16 Jun 2010 07:38:56 -0700

You could certainly do this via auditing <http://docs.sun.com/app/docs/doc/819-3321/audittm-1>.
Add the following flag to caption login/out events to /etc/security/audit_control: 
dir:/var/audit
flags:*lo*
minfree:20
naflags:lo

To turn on auditing:

$ pfexec /etc/security/bsmconv

This will require a reboot.
You can view the audit logs as text, but it's nicer to view them as HTML as follows: 

$ pfexec praudit -x /var/audit/*not_term* > audit.xml
$ xsltproc audit.xml > audit.html
$ firefox audit.html

Here's some sample output:

Event: login - ssh
time: 2010-06-16 10:22:33.206 -04:00 vers: 2 mod: host: paris
SUBJECT audit-uid: tstark uid: tstark gid: other ruid: tstark rgid: other pid: 3113 sid: 129960919 tid: 16181 202240 10.0.1.9 
RETURN *errval: success retval: 0
*
Event: logout
time: 2010-06-16 10:22:40.062 -04:00 vers: 2 mod: host: paris
SUBJECT audit-uid: tstark uid: tstark gid: other ruid: tstark rgid: other pid: 3113 sid: 129960919 tid: 16181 202240 10.0.1.9 
RETURN errval: success retval: 0

Event: login - ssh
time: 2010-06-16 10:24:11.085 -04:00 vers: 2 mod: host: paris
SUBJECT audit-uid: -1 uid: -1 gid: -1 ruid: -1 rgid: -1 pid: 3157 sid: 2130311589 tid: 1653 71168 10.0.1.9 
RETURN *errval: failure retval: No account present for user*

Event: login - ssh
time: 2010-06-16 10:24:48.914 -04:00 vers: 2 mod: host: paris
SUBJECT audit-uid: tstark uid: tstark gid: other ruid: tstark rgid: other pid: 3147 sid: 587079767 tid: 10731 136704 10.0.1.9 
RETURN errval: success retval: 0

Event: login - ssh
time: 2010-06-16 10:25:20.052 -04:00 vers: 2 mod: host: paris
SUBJECT audit-uid: tstark uid: tstark gid: other ruid: tstark rgid: other pid: 3167 sid: 1036851571 tid: 3817 202240 10.0.1.9 
RETURN *errval: failure retval: Authentication failed*

Regards,
Brian


Uncle Charlie wrote:

I would like to view  attempts, successful or unsuccessful, to ssh into an 
opensolaris box. Would it simply be a case of tweaking the sshd_config file or 
would I have to direct the appropriate logging service to monitor ssh logins ?

thanks
c


--
W Brian Leonard
Principal Product Manager
860.206.6093
http://blogs.sun.com/observatory


_______________________________________________
opensolaris-help mailing list
opensolaris-help@opensolaris.org

Reply via email to