Date: Wed, 29 Jun 2011 22:04:19 +0200 From: Patrick Proniewski <patpro@patpro.net> To: Lev Serebryakov <lev@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: More questions about audit Message-ID: <290F5B80-4EA1-401A-A834-2A4C85473DEB@patpro.net> In-Reply-To: <15687116.20110629191119@serebryakov.spb.ru> References: <15687116.20110629191119@serebryakov.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail-8-358177775 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 29 juin 2011, at 17:11, Lev Serebryakov wrote: > Even more, such command doesn't show anything about user login via > ssh: >=20 > auditreduce -m AUE_login /dev/auditpipe0 | praudit >=20 > Yes, I have "lo" class enabled for all users, and, yes, >=20 > auditreduce -r USER /dev/auditpipe0 | praudit >=20 > shows activity after login... # praudit -l /dev/auditpipe0 header,99,11,OpenSSH login,0,Wed Jun 29 21:21:22 2011, + 603 = msec,subject_ex,*******,text,successful login = patpro,return,success,0,trailer,99, header,481,11,execve(2),0,Wed Jun 29 21:21:22 2011, + 668 msec,exec = arg,-bash,exec env,*******,return,success,0,trailer,481, ../.. header,94,11,logout - local,0,Wed Jun 29 21:21:25 2011, + 328 = msec,subject_ex,*******,text,sshd logout = patpro,return,success,0,trailer,94, You see "OpenSSH login" as event's name. That's what you need to look = for: # grep "OpenSSH login" /etc/security/audit_event=20 32800:AUE_openssh:OpenSSH login:lo so, you must try: # auditreduce -m AUE_openssh /dev/auditpipe0 | praudit But I don't get good results with that command. It looks like = auditreduce wait for a good amount of events before sending the result = to stdout. This will show your logins : # auditreduce -m AUE_openssh /var/audit/current | praudit patpro --Apple-Mail-8-358177775--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?290F5B80-4EA1-401A-A834-2A4C85473DEB>