Im trying to identify how ssh 4.5 interacts with the audit subsystem within AIX
5.3. i get an event when a user logs in, but not when they exit via ssh. i can
get it to work with telnet, however. It would seem to me that if an event is
captured from the login, that the same would be true for the logout. I've
opened a PMR w/IBM, but not getting very much help.
below is an example of my /etc/security/audit/config file:
start:
binmode = off
streammode = on
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
stream:
cmds = /etc/security/audit/streamcmds
classes:
default = login
init = USER_Login, USER_Logout, USER_Exit, USER_Logout
users:
root = init,default
==========================
below is the output from /audit/stream.out
#:/etc/security/audit # tail -f /audit/stream.out
event login status time command
--------------- -------- ----------- ------------------------
-------------------------------
USER_Login root OK Wed Dec 06 13:39:17 2006 sshd
____________________________________________________________________________________
Need a quick answer? Get one in minutes from people who know.
Ask your question on www.Answers.yahoo.com
Ryan Robertson wrote:> Im trying to identify how ssh 4.5 interacts with the audit subsystem > within AIX 5.3. i get an event when a user logs in, but not when > they exit via ssh. i can get it to work with telnet, however. It > would seem to me that if an event is captured from the login, that > the same would be true for the logout. I've opened a PMR w/IBM, but > not getting very much help.There's no code in sshd to specifically support the audit interface on AIX, so I suspect that the records you see are generated by the "loginsuccess" call which sshd makes. The API docs[1] make no mention of a corresponding logout function (although now I see that the audit redbook[2] makes mention of one but I can't find any information about it). [1] http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/genprogc/ls_sec_audit_subrs.htm [2] http://www.redbooks.ibm.com/redbooks/pdfs/sg246020.pdf -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
The only way I was able to get any sort of record of a logout was when adding "USER_Exit" to /etc/security/audit/config. I'm still not convinced that that is proper field. Even if it is, then what does USER_Logout do? It may be the "logout" command, which if called from any remote connection, fails since its not "on the login terminal." Of course I get no response from IBM. I did notice an entry for rlogind/telnetd in /etc/security/audit/events. Perhaps there is some API that be used for ssh? Is this something that could be added? -Ryan ____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com