ssh 4.x using aix 5.3 auditing
Darren Tucker
dtucker at zip.com.au
Fri Dec 8 21:24:25 EST 2006
Ryan Robertson wrote:
> The only way I was able to get any sort of record of a logout was
> when adding "USER_Exit" to /etc/security/audit/config. I'm still not
> convinced that that is proper field. Even if it is, then what does
> USER_Logout do?
No idea. All the pdf I referenced earlier says is:
USER/SYSTEM AUDIT EVENT Description
logout USER_Logout Calls to the logout subroutine.
[and elsewhere]
rlogind/telnetd USER_Exit
> It may be the "logout" command, which if called from
> any remote connection, fails since its not "on the login terminal."
That's interesting because it doesn't happen here ("logout" works with
and without "UseLogin yes" in sshd_config).
> Of course I get no response from IBM. I did notice an entry for
> rlogind/telnetd in /etc/security/audit/events.
I looked briefly at the AIX audit documentation when we incorporated the
Sun BSM audit code to see if it could be supported but could not figure
it out at the time.
> Perhaps there is some
> API that be used for ssh? Is this something that could be added?
Maybe, but I'm not sure how. I would guess that you build the
appropriate structures and pass them to either auditwrite or auditlog
but I've never seen any details on it.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list