Christian Winter
2009-Sep-18 06:02 UTC
Selective and efficient logging of auth/connection information
Hello everyone, this is my first mail to the list, please forgive me if some of my questions have been asked before. I'm currently thinking about a way to implement an efficient logging method for authentication results together with client connection info on my linux boxes. My aim is to circumvent expensive and delayed mechanisms like tail()ing syslog to get to the required info and be able to take appropriate action (like blocking a host via the firewall) as quick as possible. So I thought about implementing a simple daemon that listens on a Unix Fifo and gets fed the neccessary parts from opensshd in a concise single-line format. The reason for using a Fifo is simply speed, but I'm not hundred percent sure yet whether a local socket might be a better approach (have to play the different locking/blocking/timing scenarios through my head). Digging through the sources I stumbled over the audit modules and thought about hooking into that, but it seems that there are two downsides to that approach: - It looks as if audit doesn't really have access to the client connection information at the time it can log connection info - I don't see a way to add configuration parameters for audit modules to sshd_config without patching the main source (readconf/serverconf) But maybe the things I want are already there and I'm just overlooking them, if I do so I'd be grateful for any pointers in the right direction. If it's not there, I'd be willing to invest some time to add the neccessary functionality and would welcome all thoughts about the correct approach. Best Greetings -Chris
Peter Stuge
2009-Sep-18 12:22 UTC
Selective and efficient logging of auth/connection information
Christian Winter wrote:> aim is to circumvent expensive and delayed mechanisms like > tail()ing syslog to get to the required info> and be able to take appropriate action (like blocking > a host via the firewall) as quick as possible. > > So I thought about implementing a simple daemon that listens on a > Unix Fifo and gets fedThe above is exactly what syslog does. There are many different syslogds out there, I particularly like syslog-ng because it's easy to create filters, and it can log selectively to pipes. This makes it very easy to accomplish what you want.> the neccessary parts from opensshd in a concise single-line format.So this would be the real addition - that sshd contains policy on what the system should do. This has been brought up several times, and always rejected for good reason; It's not the job of sshd to implement e.g. a firewall policy. //Peter