On 29 juin 2011, at 17:11, Lev Serebryakov wrote:
> Even more, such command doesn't show anything about user login via
> ssh:
>
> auditreduce -m AUE_login /dev/auditpipe0 | praudit
>
> Yes, I have "lo" class enabled for all users, and, yes,
>
> auditreduce -r USER /dev/auditpipe0 | praudit
>
> shows activity after login...
# praudit -l /dev/auditpipe0
header,99,11,OpenSSH login,0,Wed Jun 29 21:21:22 2011, + 603
msec,subject_ex,*******,text,successful login
patpro,return,success,0,trailer,99,
header,481,11,execve(2),0,Wed Jun 29 21:21:22 2011, + 668 msec,exec
arg,-bash,exec env,*******,return,success,0,trailer,481,
../..
header,94,11,logout - local,0,Wed Jun 29 21:21:25 2011, + 328
msec,subject_ex,*******,text,sshd logout patpro,return,success,0,trailer,94,
You see "OpenSSH login" as event's name. That's what you need
to look for:
# grep "OpenSSH login" /etc/security/audit_event
32800:AUE_openssh:OpenSSH login:lo
so, you must try:
# auditreduce -m AUE_openssh /dev/auditpipe0 | praudit
But I don't get good results with that command. It looks like auditreduce
wait for a good amount of events before sending the result to stdout. This will
show your logins :
# auditreduce -m AUE_openssh /var/audit/current | praudit
patpro