Re: [osol-discuss] Logging Telnet Sessions

2007-11-29 Thread Darren J Moffat 
Rob Sandifer wrote:
 I am trying to find the following information regarding the logging of telnet 
 sessions within a Solaris 10 environment:
 
 (1)  How can I tell if the logging of telnet sessions is enabled on a Solaris 
 10 machine?
 
 (2)  Assuming that the logging of telnet sessions is not enabled, what is the 
 procedure of enabling the logging of a telnet session?
 
 I have alread Googled these questions, but could not find any satisfactory 
 answers.  Any and all constructive replies will be appreciated.  Thanks!

What does logging mean in this context ?

Audit records for all login/logout events ?
Audit records for all commands run during a session ?
Audit records for all syscalls made ?

Keystroke logging ?

Something else ?

BTW since this is likely security releated 
[EMAIL PROTECTED] is the more appropriate place.

-- 
Darren J Moffat
___
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org

Re: [osol-discuss] Logging Telnet Sessions

2007-11-29 Thread Rob Sandifer 
Thanks for the heads-up on the security-discuss group!

To answer your question, I am interested in logging telnet logon/authentication 
events.  Thanks!

RobSand
 
 
This message posted from opensolaris.org
___
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org

Re: [osol-discuss] Logging Telnet Sessions

2007-11-29 Thread Darren J Moffat 
Rob Sandifer wrote:
 Thanks for the heads-up on the security-discuss group!
 
 To answer your question, I am interested in logging telnet 
 logon/authentication events.  Thanks!

Using Solaris Auditing to log detailed information about all logins:

Turn on Solaris Auditing using /etc/security/bsmconv

If you are only interested in login data then specify
only the class `lo` on the flags: line of /etc/security/audit_control.


An example successful event for a remote login to a machine braveheart
from a machine called hepcat:

| header,81,2,login - rlogin,,Wed Aug 27 09:46:53 1997, + 511485295 msec
| subject,darrenm,darrenm,techies,darrenm,techies,10100,10100,24 5 hepcat
| text,successful login


An example failed login event when comming in via ftp from netwon:

| header,77,2,ftp access,,Wed Sep 03 16:56:30 1997, + 712178483 msec
| subject,darrenm,darrenm,techies,darrenm,techies,1200,1200,0 20 newton
| text,bad password
| return,failure,1

Simialar records are generated for local logins, telnet, rlogin, rsh,
rexec, and ftp, ssh, scp, sftp

To find all of the login events for user darrenm in December 1997:

# auditreduce -a 19971201 -b +31d -u darrenm -c lo | praudit


If you only wish to log the failed events then specify -lo eg.
 flags: -lo


Note: Solaris Auditing is not resticted to information about logins,
for more information see the Solaris Auditing section in docs.sun.com 
and read the following manual pages:

audit_control(4), auditreduce(1M), praudit(1M), auditd(1M), bsmconv(1M)

See http://docs.sun.com/app/docs/doc/816-4557/auditplan-6?a=view



-- 
Darren J Moffat
___
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org