Re: Auditing user logins and logouts

From: Green, Simon (Simon.Green@EU.ALTRIA.COM)
Date: Tue Apr 06 2004 - 04:55:52 EDT

• Next message: Tim Muller: "How to view files in hex?"
• Previous message: Green, Simon: "Re: AIX 5.1 and 5.2 compatibility with newer hardware question"
• Maybe in reply to: Willeat, Todd: "Auditing user logins and logouts"
• Next in thread: Willeat, Todd: "Re: Auditing user logins and logouts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You can remove the audit of /etc/passwd reads by editing
/etc/security/audit/objects. /etc/passwd gets read all the time to
translate UID to a name, so a read audit of it is almost useless.
/etc/security/passwd is another matter! (I thought that you needed to have
the "objects" class in the classes stanza for this to apply. Apparently
not.)

Unfortunately, I believe that you have to add every single user to the audit
config. Worse than that: you need to take care maintaining it! Obviously
if a user isn't in there it won't get audited, (except for file accesses,
which are global): you can add the audit groups to your user defaults,
though, in /etc/security/mkuser.*. If you have an entry in the config file
for a user which has been deleted, it can prevent the audit system from
starting. I had that problem a few years ago: it may have been fixed by
now.
In theory, if you maintain your users normally there won't be a problem. I
think my difficulties arose when I copied audit config files between systems
which were not *quite* identical.

Just as an observation: if the auditors just want to log login activity, why
not simply use bin mode, and archive your /audit/trail file? Also, in case
you hadn't realised it is possible to use both bin mode and stream mode
together.

--
Simon Green
Altria ITSC Europe Ltd
AIX-L Archive at https://new-lists.princeton.edu/listserv/aix-l.html
New to AIX? http://publib-b.boulder.ibm.com/redbooks.nsf/portals/UNIX
N.B. Unsolicited email from vendors will not be appreciated.
Please post all follow-ups to the list.
> -----Original Message-----
> From: Willeat, Todd [mailto:TWilleat@MHP.SMHS.COM]
> Sent: 05 April 2004 21:20
> To: aix-l@Princeton.EDU
> Subject: Auditing user logins and logouts
>
>
> Hi all,
>
> My Security Administrator wants to log all logins/logouts for
> our AIX boxes
> to a syslog server. I have set the auditing config file as follows:
>
<SNIP>
>
> However, when checking the /audit/stream.out file, I get the
> following entry
> every few minutes:
>
>
> S_PASSWD_READ   root     root     Mon Apr 05 15:10:32 2004 OK
> telnetd
>
> S_PASSWD_READ   root     root     Mon Apr 05 15:11:33 2004 OK
> telnetd
>
> S_PASSWD_READ   root     root     Mon Apr 05 15:11:33 2004 OK
> telnetd
>
> S_PASSWD_READ   root     root     Mon Apr 05 15:12:34 2004 OK
> telnetd
>
> S_PASSWD_READ   root     root     Mon Apr 05 15:12:34 2004 OK
> telnetd
>
> Apparently this means root is reading the
> /etc/security/passwd file. But
> nobody is logging in during these times (this is a test box).
> Does anyone
> know how to prevent this?
>
> Also, does anyone know if this can be set up for all users
> without listing
> each username individually?

• Next message: Tim Muller: "How to view files in hex?"
• Previous message: Green, Simon: "Re: AIX 5.1 and 5.2 compatibility with newer hardware question"
• Maybe in reply to: Willeat, Todd: "Auditing user logins and logouts"
• Next in thread: Willeat, Todd: "Re: Auditing user logins and logouts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:48 EDT