Gary Winiger wrote: > ... >> For example, are there any C2 audit events that collect >> information like this? >> > > We like to call it Solaris Audit, C2 is very last centurary ;-) > > Any how a slight revision to what Jan said. If all you want > is failed login attempts, then all you need in audit_control(4) > is naflags:lo. If you want both successful and failed, > then flags:lo is also needed. > > To set things up, you still need to run bsmconv(1M) and reboot. > Configure audit_control as noted. If this is all the audit > you're collecting, you could get away without running auditreduce. > The command Jan showed will get you just sshd logins. If you care > about all logins/su/screenlocks/... just run praudit to convert > the binary to human (un)readable. If you're looking for just the > IP address, praudit -r gets that untranslated. For IP addresses > that can't be mapped to host names, praudit without the -r will > just put them out in dot (or colon) form. >
So we have event collection courtesy of Solaris Audit (:-) but what do we have for taking action when said events occur? Or for that matter, a series of events? And how would this be done in real time? It seems that auditd is writing the files but I can't see which API would be used to read the data it writes? Darren
