> Before I start hacking on code, is there some other area of
> Solaris's security that should be leveraged to do this?
Yes.
> For example, are there any C2 audit events that collect
> information like this?
We like to call it Solaris Audit, C2 is very last centurary ;-)
Any how a slight revision to what Jan said. If all you want
is failed login attempts, then all you need in audit_control(4)
is naflags:lo. If you want both successful and failed,
then flags:lo is also needed.
To set things up, you still need to run bsmconv(1M) and reboot.
Configure audit_control as noted. If this is all the audit
you're collecting, you could get away without running auditreduce.
The command Jan showed will get you just sshd logins. If you care
about all logins/su/screenlocks/... just run praudit to convert
the binary to human (un)readable. If you're looking for just the
IP address, praudit -r gets that untranslated. For IP addresses
that can't be mapped to host names, praudit without the -r will
just put them out in dot (or colon) form.
Gary..
P.S. Hope you had a good trip home. Enjoy the holidays....
