Hi, managers...
As usually extremly fast and eficient list...
Original Q: How and where do I get logs of bad logons to the system? Or
piracy, or bad users trying to enter the system...
The 30 sec. answer was as simple as:
Look at /var/adm/sialog. If that file is not there, simple "touch" the file
and if C2 security is installed, it will begin recording logon attempts.
================================
Anyway, I got several interesting answers:
From: Benjamin Smith <smith.beno_at_epamail.epa.gov>
Organization: Lockheed Martin, in support of the U.S. EPA
I don't remember if this is specific to C2 security but touching
/var/adm/sialog (root:system mode 640) will log all successful and
unsuccessful
connects/authentications (in won't log where from, but will give usernames).
For the "where from" I'd suggest tcp-wrappers.
--------------------------------
From: Cy Dewhurst <cy.dewhurst_at_rbch-tr.swest.nhs.uk>
Easiest way, is to install C2 enhanced security. Enable auditing only
(unless you want the additional passwd auth stuff) using audit_setup
(8). Use XIsso to generate audit reports for the specific event (ie.
failed logins) from the raw audit file. Apart from getting hold of the
source for the login subsystem and modifying it yourself (not a good
idea), I can't think of any other way to do it.
---------------------------------
From: George Gallen <ggallen_at_slackinc.com>
Create the file /var/adm/sialog
This will log all successfull & unsuccessfull attempts
It doesn't give you much, just the tty and the time
Since it's logging to mail.log, I'm assuming you have
tcpwrappers running, you could also configure tcpwrappers
(/etc/hosts.deny file) to log any attempts to access
the login (via telnet), but that would only log connections
that tcpwrappers rejected (so they would never even make
it the login prompt, and thus never show up in sialog)
---------------------------------
From: "Frank Wortner" <frank_at_bondnet.com>
You will need to turn on the DU audit facility. Run /usr/sbin/audit_setup,
but be aware that you may have to regenerate the kernel and reboot if your
present kernel doesn't have the AUDIT option turned on. Take all the
defaults for the auditmask when audit_setup prompts you.
=================================
And so many other that are still kindly repling to me.
Thanks go to (in order of appearance on my mailbox):
"Spalding, Stephen" <SSpaldin_at_mem-ins.com>
Benjamin Smith <smith.beno_at_epamail.epa.gov>
Cy Dewhurst <cy.dewhurst_at_rbch-tr.swest.nhs.uk>
George Gallen <ggallen_at_slackinc.com>
"Frank Wortner" <frank_at_bondnet.com>
Bob Jones <BJ_at_OREGON.UOREGON.EDU>
"Leonard, Roger" <rleonard_at_cvty.com>
Larry Griffith <larry_at_cs.wsc.ma.edu>
=================================
Just as curiosity:
* I've sent the Question at 15:32
* Got the 1st reply at 15:50
* Got 10 replys at 17:00
Have fun,
Joao Rochate
-------------------------------------------------------
Joao Pedro Rochate | EMail: jrochate_at_ualg.pt
Servicos de Informatica | URL: w3.ualg.pt/~jrochate
Universidade do Algarve | Phone: +351 (0)89 800 961
8000 Gambelas - FARO | ISDN: +351 (0)89 860 125
P O R T U G A L (pt) | GSM: +351 (0)931 950xxxx
-=[
http://www.ualg.pt ]=- | Fax: +351 (0)89 860 129
-------------------------------------------------------
Eng. de Sistemas e Computacao - UCEH - Univ. do Algarve
Received on Fri Jul 23 1999 - 15:57:51 NZST