From owner-freebsd-current@FreeBSD.ORG Wed Jan 16 19:01:00 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EEA0616A418 for ; Wed, 16 Jan 2008 19:01:00 +0000 (UTC) (envelope-from bates@telehouse.com) Received: from mail.telehouse.com (mail.telehouse.com [209.137.140.6]) by mx1.freebsd.org (Postfix) with ESMTP id C07B213C45D for ; Wed, 16 Jan 2008 19:01:00 +0000 (UTC) (envelope-from bates@telehouse.com) Received: from [172.18.6.139] (RbatesiBook.telehouse.com [172.18.6.139]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.telehouse.com (Postfix) with ESMTP id DE199882CE for ; Wed, 16 Jan 2008 14:00:59 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v753) In-Reply-To: <20080115161724.U32954@fledge.watson.org> References: <9419F125-F8F9-4FFB-A9F0-CF59DC9278C9@telehouse.com> <20080115161724.U32954@fledge.watson.org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <3E41B004-70D9-46CF-8F04-ED4475E39BAA@telehouse.com> Content-Transfer-Encoding: 7bit From: Richard Bates Date: Wed, 16 Jan 2008 14:00:55 -0500 To: freebsd-current@freebsd.org X-Mailer: Apple Mail (2.753) Subject: Re: Question on security.. X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jan 2008 19:01:01 -0000 Ok, I setup a test server with FreeBSd 6.2 installed Compiled the kernel to include auditd SAMBA3, NetAtalk, and SSH enabled Audit seems to log the ssh connections, but doesn't log the smb/cifs netatalk connections. I'd also like to monitor MySQl connections. Is there a way to do this? I went through the audit section of the handbook, but there is nothing specific. Thanks On Jan 15, 2008, at 11:18 AM, Robert Watson wrote: > > On Tue, 15 Jan 2008, Richard Bates wrote: > >> I know login failures are logged in /var/log/auth.log >> >> is there a way to log the login of users in this log say something >> like >> >> Jan 15 10:59:00 MyServer sshd[91869]: User bates authenticated >> from 172.18.1.139 >> Jan 15 10:59:00 MyServer sshd[91869]: User bates Disconnected from >> 172.18.1.139 > > The normal system lastlog, accessed via last(1), does this fairly > well. As you notch up the level of logging on sshd, it should also > be able to do that. However, I tend to use audit for the above type > of functionality, as the results are more parseable using tools > like auditreduce. There's a handbook chapter on how to configure > and use audit, should you be looking for something a bit more on > that scale of things. > > Robert N M Watson > Computer Laboratory > University of Cambridge >