My original question:
I am trying to automatically print login attempts/successes to an attached
printer in real time. I have built a kludge that will (tail -f
/var/adm/sialog > /dev/tty00) but there must be a better way. Maybe tcp
wrappers?
Summary:
>From the replies, it doesn't seem that there is any one simple and better
way of doing this. Here are the replies I received...with many thanks.
Compaq sent:-----------------------------------------
I assume this is done for security reasons.
You may want to look into auditd(8) and acct(8)for the various auditing and
accounting control on the system. You can also use sysman to show the real
time status of auditd, etc. But I don't think there is a hook to a printer,
so "tai -f fileName|lpr -h -PprinterName" filename would be the closest
thing.
Frank Wortner sent:-----------------------------------------
Your solution seems to be the simplest possible one. I wouldn't discount
it. TCP Wrappers would log *connections*, not neccessarily logins. They
also don't include LAT connections (should you be plagued with those :-),
or hardwired terminals, or certain types of logins from X terminals. Other
"solutions" I could think of involve going to Enhanced Security (C2) and
writing programs in C and/or PERL to extract information from the prpasswd
database every minute or so, compare it with the previous results, and
then print the differences. (I actually do this to keep track of which user
accounts are locked or unlocked.) However, this is more resource intensive
than just a plain old tail of a log file. You could also turn on system
auditing and capture login events. You would have to run the audit_tool
almost constantly, though. Again, this would consume much more CPU and
disk space than just tailing sialog.
What I'm trying to say is that the "better" way may not be worth the effort
if your current solution works -- at least in my humble opinion.
Sean O'Connell sent:-----------------------------------------
I use a scheme that takes advantage of tcsh being my default
shell (it sets the REMOTEHOST environment variable) and then
using logger command to dash a quick note off to syslog from
within /etc/csh.login.
if ( ! $?REMOTEHOST ) then
setenv REMOTEHOST localhost
endif
/usr/bin/logger -p auth.info "${USER} has logged in from ${REMOTEHOST}"
You could pare that down to just
echo "${USER} has logged in from ${REMOTEHOST}" > /dev/tty00
(or do both if you ever ran out of ribbon/cartridge/paper).
I guess this would capture sucessful logins. tcpwrappers could
be used to catch any rlogin/rsh/telnet/ssh connection attempt
by using syntax spelled out in hosts_options(5) and hosts_access(5)
telnetd: ALL\
: severity auth.info \
: spawn (/bin/echo "%d connection from %h" > /dev/tty00) &
(this could be added to hosts.allow or hosts.deny) and then the
/etc/csh.login entry could catch the actual login.
lrs22 sent:-----------------------------------------
Another approach would be:
# auditmask login ...
- set the auditmask to audit login (and any other
relevant event)
# auditd -d 1m
- set the auditd flush frequency to 1x/min
# audit_tool `auditd -dq` -f >& /dev/tty00
- cotinue (ala tail -f) processing the auditlog
with the audit_tool utility;
output to /dev/tty00
The advantage of this approach is much more detail
than that provided from the sialog. Examples are in
the docs. Hope this helps.
Dan Elder
<<...>>
Government and Healthcare Services BC
Phone: (250) 405-2608
Fax: (250) 405-2610
mailto:dan.elder_at_eds.com
Received on Fri Apr 07 2000 - 18:00:27 NZST