Date: Wed, 29 Jun 2011 22:04:19 +0200 From: Patrick Proniewski <patpro@patpro.net> To: Lev Serebryakov <lev@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: More questions about audit Message-ID: <290F5B80-4EA1-401A-A834-2A4C85473DEB@patpro.net> In-Reply-To: <15687116.20110629191119@serebryakov.spb.ru> References: <15687116.20110629191119@serebryakov.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 29 juin 2011, at 17:11, Lev Serebryakov wrote: > Even more, such command doesn't show anything about user login via > ssh: > > auditreduce -m AUE_login /dev/auditpipe0 | praudit > > Yes, I have "lo" class enabled for all users, and, yes, > > auditreduce -r USER /dev/auditpipe0 | praudit > > shows activity after login... # praudit -l /dev/auditpipe0 header,99,11,OpenSSH login,0,Wed Jun 29 21:21:22 2011, + 603 msec,subject_ex,*******,text,successful login patpro,return,success,0,trailer,99, header,481,11,execve(2),0,Wed Jun 29 21:21:22 2011, + 668 msec,exec arg,-bash,exec env,*******,return,success,0,trailer,481, ../.. header,94,11,logout - local,0,Wed Jun 29 21:21:25 2011, + 328 msec,subject_ex,*******,text,sshd logout patpro,return,success,0,trailer,94, You see "OpenSSH login" as event's name. That's what you need to look for: # grep "OpenSSH login" /etc/security/audit_event 32800:AUE_openssh:OpenSSH login:lo so, you must try: # auditreduce -m AUE_openssh /dev/auditpipe0 | praudit But I don't get good results with that command. It looks like auditreduce wait for a good amount of events before sending the result to stdout. This will show your logins : # auditreduce -m AUE_openssh /var/audit/current | praudit patpro
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?290F5B80-4EA1-401A-A834-2A4C85473DEB>