> the original question:
> --------------------------------------------------------------------
> We are running DU 4.0a & C2 security. I have reduced the
> /etc/sec/audit_events list significantly and have just noticed
> that I am not detecting ftp logins or logfails with the CDE audit
> tool (dxaudit). Telnet and CDE logins and logfails are being
> detected.
>
> Ftp logins are being recorded in the /var/adm/wtmp (last).
>
> Does anyone know which audit_event(s) affect the ftp events?
>
> ---------------------------------------------------------------------
Spider Boardman replied:
# auditmask trusted_event
It's `auth_event' in particular for rsh and ftp.
-----------------------------------------------------------------------
Larry Scott replied:
The FTP accesses will record as "auth_event" events. FTP is a protocol
distinct from login.
-----------------------------------------------------------------------
I tested the auth_event and that is the correct audit_event.
Many thanks for the help.
rich (rnfrank_at_llnl.gov)
Received on Fri Feb 21 1997 - 23:55:21 NZDT