ssh 4.x using aix 5.3 auditing

Darren Tucker dtucker at zip.com.au
Fri Dec 8 21:24:25 EST 2006


Ryan Robertson wrote:
> The only way I was able to get any sort of record of a logout was
> when adding "USER_Exit" to /etc/security/audit/config.  I'm still not
> convinced that that is proper field.  Even if it is, then what does
> USER_Logout do?

No idea.  All the pdf I referenced earlier says is:

USER/SYSTEM	AUDIT EVENT	Description
logout		USER_Logout	Calls to the logout subroutine.
[and elsewhere]
rlogind/telnetd USER_Exit

> It may be the "logout" command, which if called from
> any remote connection, fails since its not "on the login terminal."

That's interesting because it doesn't happen here ("logout" works with 
and without "UseLogin yes" in sshd_config).

> Of course I get no response from IBM. I did notice an entry for
> rlogind/telnetd in /etc/security/audit/events.

I looked briefly at the AIX audit documentation when we incorporated the 
Sun BSM audit code to see if it could be supported but could not figure 
it out at the time.

> Perhaps there is some
> API that be used for ssh?  Is this something that could be added?

Maybe, but I'm not sure how.  I would guess that you build the 
appropriate structures and pass them to either auditwrite or auditlog 
but I've never seen any details on it.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list