More questions about audit
Patrick Proniewski
patpro at patpro.net
Wed Jun 29 20:04:23 UTC 2011
On 29 juin 2011, at 17:11, Lev Serebryakov wrote:
> Even more, such command doesn't show anything about user login via
> ssh:
>
> auditreduce -m AUE_login /dev/auditpipe0 | praudit
>
> Yes, I have "lo" class enabled for all users, and, yes,
>
> auditreduce -r USER /dev/auditpipe0 | praudit
>
> shows activity after login...
# praudit -l /dev/auditpipe0
header,99,11,OpenSSH login,0,Wed Jun 29 21:21:22 2011, + 603 msec,subject_ex,*******,text,successful login patpro,return,success,0,trailer,99,
header,481,11,execve(2),0,Wed Jun 29 21:21:22 2011, + 668 msec,exec arg,-bash,exec env,*******,return,success,0,trailer,481,
../..
header,94,11,logout - local,0,Wed Jun 29 21:21:25 2011, + 328 msec,subject_ex,*******,text,sshd logout patpro,return,success,0,trailer,94,
You see "OpenSSH login" as event's name. That's what you need to look for:
# grep "OpenSSH login" /etc/security/audit_event
32800:AUE_openssh:OpenSSH login:lo
so, you must try:
# auditreduce -m AUE_openssh /dev/auditpipe0 | praudit
But I don't get good results with that command. It looks like auditreduce wait for a good amount of events before sending the result to stdout. This will show your logins :
# auditreduce -m AUE_openssh /var/audit/current | praudit
patpro
More information about the freebsd-security
mailing list