From: Willeat, Todd (TWilleat@MHP.SMHS.COM)
Date: Tue Apr 06 2004 - 13:16:25 EDT
Removing the objects files has taken care of the S_PASSWD_READ problem. I
was trying to use stream mode because I don't need to store the info locally
since it will be going to a syslog server. I do still have a problem though:
When a user logs in, the auditing system shows root running the tsm command,
and for logout (by typing exit), it also shows root because root runs the
telnetd process. Do you know of a way to show the login name for the user
logging in/out?
For example, I logged in as myself (twilleat) here:
USER_Login root OK Tue Apr 06 12:13:51 2004 tsm
USER_Exit root OK Tue Apr 06 12:13:53 2004 telnetd
-----Original Message-----
From: Green, Simon [mailto:Simon.Green@EU.ALTRIA.COM]
Sent: Tuesday, April 06, 2004 3:56 AM
To: aix-l@Princeton.EDU
Subject: Re: Auditing user logins and logouts
You can remove the audit of /etc/passwd reads by editing
/etc/security/audit/objects. /etc/passwd gets read all the time to
translate UID to a name, so a read audit of it is almost useless.
/etc/security/passwd is another matter! (I thought that you needed to have
the "objects" class in the classes stanza for this to apply. Apparently
not.)
Unfortunately, I believe that you have to add every single user to the audit
config. Worse than that: you need to take care maintaining it! Obviously
if a user isn't in there it won't get audited, (except for file accesses,
which are global): you can add the audit groups to your user defaults,
though, in /etc/security/mkuser.*. If you have an entry in the config file
for a user which has been deleted, it can prevent the audit system from
starting. I had that problem a few years ago: it may have been fixed by
now.
In theory, if you maintain your users normally there won't be a problem. I
think my difficulties arose when I copied audit config files between systems
which were not *quite* identical.
Just as an observation: if the auditors just want to log login activity, why
not simply use bin mode, and archive your /audit/trail file? Also, in case
you hadn't realised it is possible to use both bin mode and stream mode
together.
-- Simon Green Altria ITSC Europe Ltd AIX-L Archive at https://new-lists.princeton.edu/listserv/aix-l.html New to AIX? http://publib-b.boulder.ibm.com/redbooks.nsf/portals/UNIX N.B. Unsolicited email from vendors will not be appreciated. Please post all follow-ups to the list. > -----Original Message----- > From: Willeat, Todd [mailto:TWilleat@MHP.SMHS.COM] > Sent: 05 April 2004 21:20 > To: aix-l@Princeton.EDU > Subject: Auditing user logins and logouts > > > Hi all, > > My Security Administrator wants to log all logins/logouts for > our AIX boxes > to a syslog server. I have set the auditing config file as follows: > <SNIP> > > However, when checking the /audit/stream.out file, I get the > following entry > every few minutes: > > > S_PASSWD_READ root root Mon Apr 05 15:10:32 2004 OK > telnetd > > S_PASSWD_READ root root Mon Apr 05 15:11:33 2004 OK > telnetd > > S_PASSWD_READ root root Mon Apr 05 15:11:33 2004 OK > telnetd > > S_PASSWD_READ root root Mon Apr 05 15:12:34 2004 OK > telnetd > > S_PASSWD_READ root root Mon Apr 05 15:12:34 2004 OK > telnetd > > Apparently this means root is reading the > /etc/security/passwd file. But > nobody is logging in during these times (this is a test box). > Does anyone > know how to prevent this? > > Also, does anyone know if this can be set up for all users > without listing > each username individually?
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:48 EDT