Alas, if Darren is looking for a general solution, C2 auditing is very definitely not the norm in the customer base.
Jim --- Gary Winiger wrote: >> Before I start hacking on code, is there some other area of >> Solaris's security that should be leveraged to do this? >> > > Yes. > > >> For example, are there any C2 audit events that collect >> information like this? >> > > We like to call it Solaris Audit, C2 is very last centurary ;-) > > Any how a slight revision to what Jan said. If all you want > is failed login attempts, then all you need in audit_control(4) > is naflags:lo. If you want both successful and failed, > then flags:lo is also needed. > > To set things up, you still need to run bsmconv(1M) and reboot. > Configure audit_control as noted. If this is all the audit > you're collecting, you could get away without running auditreduce. > The command Jan showed will get you just sshd logins. If you care > about all logins/su/screenlocks/... just run praudit to convert > the binary to human (un)readable. If you're looking for just the > IP address, praudit -r gets that untranslated. For IP addresses > that can't be mapped to host names, praudit without the -r will > just put them out in dot (or colon) form. > > Gary.. > P.S. Hope you had a good trip home. Enjoy the holidays.... > _______________________________________________ > security-discuss mailing list > security-discuss at opensolaris.org >
