Rob Sandifer wrote:
Thanks for the heads-up on the security-discuss group!
To answer your question, I am interested in logging telnet
logon/authentication events. Thanks!
Using Solaris Auditing to log detailed information about all logins:
Turn on Solaris Auditing using /etc/security/bsmconv
If you are only interested in login data then specify
only the class `lo` on the flags: line of /etc/security/audit_control.
An example successful event for a remote login to a machine braveheart
from a machine called hepcat:
| header,81,2,login - rlogin,,Wed Aug 27 09:46:53 1997, + 511485295 msec
| subject,darrenm,darrenm,techies,darrenm,techies,10100,10100,24 5 hepcat
| text,successful login
An example failed login event when comming in via ftp from netwon:
| header,77,2,ftp access,,Wed Sep 03 16:56:30 1997, + 712178483 msec
| subject,darrenm,darrenm,techies,darrenm,techies,1200,1200,0 20 newton
| text,bad password
| return,failure,1
Simialar records are generated for local logins, telnet, rlogin, rsh,
rexec, and ftp, ssh, scp, sftp
To find all of the login events for user darrenm in December 1997:
# auditreduce -a 19971201 -b +31d -u darrenm -c lo | praudit
If you only wish to log the failed events then specify -lo eg.
flags: -lo
Note: Solaris Auditing is not resticted to information about logins,
for more information see the Solaris Auditing section in docs.sun.com
and read the following manual pages:
audit_control(4), auditreduce(1M), praudit(1M), auditd(1M), bsmconv(1M)
See http://docs.sun.com/app/docs/doc/816-4557/auditplan-6?a=view
--
Darren J Moffat
___
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org