Re: wtmpx utility for solaris

Darren J Moffat - Sun UK - Consultant Engineer (darren.moffat@UK.SUN.COM)
Tue, 31 Mar 1998 09:26:15 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Denis Papp: "BSD coredumps follow symlinks"
Previous message: Vadim Kolontsov: "Internet Mail bug"
Maybe in reply to: Ryan: "wtmpx utility for solaris"

--Boundary_(ID_cJjowCeqRRbO1FVXCGWDpQ)
Content-type: TEXT/plain; charset=us-ascii
Content-MD5: efJKGI+I4mYZ+AH9Bv7gOg==

> There seems to be a problem with the tmpx file for solairs. Doesn't log
> the full IP's of the users loging in, it truncates it somehow.
Therefore,
> the 'last' utility is praticly useless when trying to track down someone.

If you are concerned about tracking down login and attempted login
activity you would be MUCH better of enabling the BSM auditing features
and using the audit class lo as a minimum.

See the attatched document, for more details.

-- Darren J Moffat

--Boundary_(ID_cJjowCeqRRbO1FVXCGWDpQ) Content-type: TEXT/plain; x-unix-mode=0640; charset=us-ascii; name=failed_logins Content-description: failed_logins Content-disposition: ATTACHMENT; FILENAME=failed_logins Content-MD5: 3053rFJAt15FnNWAQCA55A==

------------------------------------------------------------------------ Article 16472 Synopsis: Howto get a detailed failed login information ------------------------------------------------------------------------

Distribution: Public Article type: Infodoc Submitter: darrenm Country: UK

Status: Evaluated

Hardware: n/a OS: any Bug ID: Prd area: Security Patch ID: Product: BSM Release:

Interest list:

Submitted: Jan 21 1998 3:58AM Total labor: 0 hrs 5 mins

Description ----------- Using BSM auditing to log detailed information about all logins:

Turn on BSM auditing using /etc/security/bsmconv (see answerbook for full details).

If you are only interested in login data then specify only the class `lo` on the flags: line of /etc/security/audit_control.

An example successful event for a remote login to a machine braveheart from a machine called hepcat:

| header,81,2,login - rlogin,,Wed Aug 27 09:46:53 1997, + 511485295 msec | subject,darrenm,darrenm,techies,darrenm,techies,10100,10100,24 5 hepcat | text,successful login

An example failed login event when comming in via ftp from netwon:

| header,77,2,ftp access,,Wed Sep 03 16:56:30 1997, + 712178483 msec | subject,darrenm,darrenm,techies,darrenm,techies,1200,1200,0 20 newton | text,bad password | return,failure,1

Simialar records are generated for local logins, telnet, rlogin, rsh, rexec, and ftp.

To find all of the login events for user darrenm in December 1997:

# auditreduce -a 19971201 -b +31d -u darrenm -c lo | praudit

If you only wish to log the failed events then specify -lo eg. flags: -lo

Note: BSM auditing is not resticted to information about logins, for more information see the BSM section in the Answerbook and read the following manual pages:

audit_control(4), auditreduce(1M), praudit(1M), auditd(1M), bsmconv(1M)

Solution --------

Internal Solution -----------------

--Boundary_(ID_cJjowCeqRRbO1FVXCGWDpQ)--

Next message: Denis Papp: "BSD coredumps follow symlinks"
Previous message: Vadim Kolontsov: "Internet Mail bug"
Maybe in reply to: Ryan: "wtmpx utility for solaris"