> There seems to be a problem with the tmpx file for solairs. Doesn't log
> the full IP's of the users loging in, it truncates it somehow.
Therefore,
> the 'last' utility is praticly useless when trying to track down someone.
If you are concerned about tracking down login and attempted login
activity you would be MUCH better of enabling the BSM auditing features
and using the audit class lo as a minimum.
See the attatched document, for more details.
-- Darren J Moffat
--Boundary_(ID_cJjowCeqRRbO1FVXCGWDpQ) Content-type: TEXT/plain; x-unix-mode=0640; charset=us-ascii; name=failed_logins Content-description: failed_logins Content-disposition: ATTACHMENT; FILENAME=failed_logins Content-MD5: 3053rFJAt15FnNWAQCA55A==
------------------------------------------------------------------------ Article 16472 Synopsis: Howto get a detailed failed login information ------------------------------------------------------------------------
Distribution: Public Article type: Infodoc Submitter: darrenm Country: UK
Status: Evaluated
Hardware: n/a OS: any Bug ID: Prd area: Security Patch ID: Product: BSM Release:
Interest list:
Submitted: Jan 21 1998 3:58AM Total labor: 0 hrs 5 mins
Description ----------- Using BSM auditing to log detailed information about all logins:
Turn on BSM auditing using /etc/security/bsmconv (see answerbook for full details).
If you are only interested in login data then specify only the class `lo` on the flags: line of /etc/security/audit_control.
An example successful event for a remote login to a machine braveheart from a machine called hepcat:
| header,81,2,login - rlogin,,Wed Aug 27 09:46:53 1997, + 511485295 msec | subject,darrenm,darrenm,techies,darrenm,techies,10100,10100,24 5 hepcat | text,successful login
An example failed login event when comming in via ftp from netwon:
| header,77,2,ftp access,,Wed Sep 03 16:56:30 1997, + 712178483 msec | subject,darrenm,darrenm,techies,darrenm,techies,1200,1200,0 20 newton | text,bad password | return,failure,1
Simialar records are generated for local logins, telnet, rlogin, rsh, rexec, and ftp.
To find all of the login events for user darrenm in December 1997:
# auditreduce -a 19971201 -b +31d -u darrenm -c lo | praudit
If you only wish to log the failed events then specify -lo eg. flags: -lo
Note: BSM auditing is not resticted to information about logins, for more information see the BSM section in the Answerbook and read the following manual pages:
audit_control(4), auditreduce(1M), praudit(1M), auditd(1M), bsmconv(1M)
Solution --------
Internal Solution -----------------
--Boundary_(ID_cJjowCeqRRbO1FVXCGWDpQ)--