Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: wtmpx utility for solaris

From: darren.moffat () UK Sun COM (Darren J Moffat - Sun UK - Consultant Engineer)
Date: Tue, 31 Mar 1998 09:26:15 +0100

--Flight_of_Swallows_438_000
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: efJKGI+I4mYZ+AH9Bv7gOg==



There seems to be a problem with the tmpx file for solairs.  Doesn't log
the full IP's of the users loging in, it truncates it somehow.

Therefore,

the 'last' utility is praticly useless when trying to track down someone.


If you are concerned about tracking down login and attempted login
activity you would be MUCH better of enabling the BSM auditing features
and using the audit class lo as a minimum.

See the attatched document, for more details.


--
Darren J Moffat



--Flight_of_Swallows_438_000
Content-Type: TEXT/plain; name=failed_logins; charset=us-ascii; x-unix-mode=0640
Content-Description: failed_logins
Content-MD5: 3053rFJAt15FnNWAQCA55A==

------------------------------------------------------------------------
Article 16472
Synopsis: Howto get a detailed failed login information
------------------------------------------------------------------------

Distribution: Public            Article type: Infodoc
Submitter: darrenm                      Country: UK

Status: Evaluated

Hardware: n/a
OS: any                                 Bug ID:
Prd area: Security                              Patch ID:
Product: BSM                            Release:

Interest list:

Submitted: Jan 21 1998  3:58AM          Total labor: 0 hrs 5 mins


Description
-----------
Using BSM auditing to log detailed information about all logins:

Turn on BSM auditing using /etc/security/bsmconv (see answerbook
for full details).

If you are only interested in login data then specify
only the class `lo` on the flags: line of /etc/security/audit_control.


An example successful event for a remote login to a machine braveheart
from a machine called hepcat:

| header,81,2,login - rlogin,,Wed Aug 27 09:46:53 1997, + 511485295 msec
| subject,darrenm,darrenm,techies,darrenm,techies,10100,10100,24 5 hepcat
| text,successful login


An example failed login event when comming in via ftp from netwon:

| header,77,2,ftp access,,Wed Sep 03 16:56:30 1997, + 712178483 msec
| subject,darrenm,darrenm,techies,darrenm,techies,1200,1200,0 20 newton
| text,bad password
| return,failure,1

Simialar records are generated for local logins, telnet, rlogin, rsh,
rexec, and ftp.

To find all of the login events for user darrenm in December 1997:

# auditreduce -a 19971201 -b +31d -u darrenm -c lo | praudit


If you only wish to log the failed events then specify -lo eg.
        flags: -lo


Note: BSM auditing is not resticted to information about logins,
for more information see the BSM section in the Answerbook and read
the following manual pages:

audit_control(4), auditreduce(1M), praudit(1M), auditd(1M), bsmconv(1M)




Solution
--------


Internal Solution
-----------------

--Flight_of_Swallows_438_000--
Previous By Date Next
Previous By Thread Next

Current thread: