Hello System Admins,
Thanks very much to these people for responding:
George Gallen <ggallen_at_slackinc.com>
Steve VanDevender <stevev_at_hexadecimal.uoregon.edu>
Frank Wortner <frank_at_bondnet.com>
Toni Harbaugh-Blackford <harbaugh_at_ncifcrf.gov>
Jim Fitzmaurice <jpfitz_at_fnal.gov>
"Degerness, Mandell ITSD:EX" <Mandell.Degerness_at_gems2.gov.bc.ca>
lrs22_at_att.net
It looks like there are three possible answers. As you can see
from my original posted question below, I wanted a way to log
the username and destination of anyone invoking telnet from this
host. [1] Write a script wrapper that will invoke the
actual /usr/bin/telnet binary as it logs the appropriate info.
[2] Modify the source of a telnet program to use the audgenl()
system call, recompile, and replace the original /usr/bin/telnet.
Of course, users could bypass either of these solutions by
uploading their own telnet binary, or, in the case of the
script wrapper, invoking the real telnet directly. But that's
okay, I still find these two methods very useful.
[3] Use the auditing method suggested by Toni Harbaugh-Blackford
(see below).
Frank Wortner suggested method [2] and getting the telnet source
from Linux or FreeBSD.
About [3], Toni Harbaugh-Blackford indicated that it was possible
to use the auditing facility and yet reduce the total amount of
data logged:
Log all 'exec' events (exeve, exev, exec_with_loader). Since you
are running Enhanced Security, you can reduce the amount of data
you generate to actual logged in users (rather than daemons) by
using the u_auditmask field of either the prpasswd or default
databases [see the manpage on 'prpasswd' for details]
Again, many thanks to all who responded!
Paul Youngblood
---------------------------------------------------------------
--------original---posting-------------------------------------
---------------------------------------------------------------
Hello System Admins,
Is there a way to audit the use of telnet without resorting to
putting the following line in my /etc/sec/audit_events file?
connect succeed fail
I believe turning on auditing for the "connect" event will record
all connection activity on all ports -- that would generate far
too much data for my needs. I am only interested in auditing the
use of /usr/bin/telnet by users currently logged on. In other
words, I want to record WHAT USER on this node invoked telnet and
WHERE DID THEY TELNET TO.
I've tried using this command sequence:
# auditmask -s obj_sel
# auditmask -x /usr/bin/telnet
But this doesn't seem to cause any logging of the use of telnet.
I've even "turned on" object selection by running audit_setup.
Is this not the correct use of object selection? All the other
items listed in my audit_events file are being logged normally,
so the auditing subsystem seems to be functioning.
I sure could use any information you might have to help me out!
I'm running DU 4.0D and C2 Security. I'll summarize.
Paul Youngblood
Received on Tue Jul 06 1999 - 22:32:46 NZST