--Flight_of_Swallows_438_000 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: efJKGI+I4mYZ+AH9Bv7gOg== > There seems to be a problem with the tmpx file for solairs. Doesn't log > the full IP's of the users loging in, it truncates it somehow. Therefore, > the 'last' utility is praticly useless when trying to track down someone. If you are concerned about tracking down login and attempted login activity you would be MUCH better of enabling the BSM auditing features and using the audit class lo as a minimum. See the attatched document, for more details. -- Darren J Moffat --Flight_of_Swallows_438_000 Content-Type: TEXT/plain; name=failed_logins; charset=us-ascii; x-unix-mode=0640 Content-Description: failed_logins Content-MD5: 3053rFJAt15FnNWAQCA55A== ------------------------------------------------------------------------ Article 16472 Synopsis: Howto get a detailed failed login information ------------------------------------------------------------------------ Distribution: Public Article type: Infodoc Submitter: darrenm Country: UK Status: Evaluated Hardware: n/a OS: any Bug ID: Prd area: Security Patch ID: Product: BSM Release: Interest list: Submitted: Jan 21 1998 3:58AM Total labor: 0 hrs 5 mins Description ----------- Using BSM auditing to log detailed information about all logins: Turn on BSM auditing using /etc/security/bsmconv (see answerbook for full details). If you are only interested in login data then specify only the class `lo` on the flags: line of /etc/security/audit_control. An example successful event for a remote login to a machine braveheart from a machine called hepcat: | header,81,2,login - rlogin,,Wed Aug 27 09:46:53 1997, + 511485295 msec | subject,darrenm,darrenm,techies,darrenm,techies,10100,10100,24 5 hepcat | text,successful login An example failed login event when comming in via ftp from netwon: | header,77,2,ftp access,,Wed Sep 03 16:56:30 1997, + 712178483 msec | subject,darrenm,darrenm,techies,darrenm,techies,1200,1200,0 20 newton | text,bad password | return,failure,1 Simialar records are generated for local logins, telnet, rlogin, rsh, rexec, and ftp. To find all of the login events for user darrenm in December 1997: # auditreduce -a 19971201 -b +31d -u darrenm -c lo | praudit If you only wish to log the failed events then specify -lo eg. flags: -lo Note: BSM auditing is not resticted to information about logins, for more information see the BSM section in the Answerbook and read the following manual pages: audit_control(4), auditreduce(1M), praudit(1M), auditd(1M), bsmconv(1M) Solution -------- Internal Solution ----------------- --Flight_of_Swallows_438_000--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:47:40 PDT