From owner-freebsd-security@FreeBSD.ORG Wed Jun 29 20:04:23 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 23B92106566C; Wed, 29 Jun 2011 20:04:23 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id C8B378FC12; Wed, 29 Jun 2011 20:04:22 +0000 (UTC) Received: from rack.patpro.net (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP id 2612A1CC020; Wed, 29 Jun 2011 22:04:22 +0200 (CEST) X-Virus-Scanned: amavisd-new at patpro.net Received: from amavis-at-patpro.net ([127.0.0.1]) by rack.patpro.net (rack.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VqXv8E0vS01Q; Wed, 29 Jun 2011 22:04:20 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP; Wed, 29 Jun 2011 22:04:20 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-8-358177775; protocol="application/pkcs7-signature"; micalg=sha1 From: Patrick Proniewski X-Priority: 3 (Normal) In-Reply-To: <15687116.20110629191119@serebryakov.spb.ru> Date: Wed, 29 Jun 2011 22:04:19 +0200 Message-Id: <290F5B80-4EA1-401A-A834-2A4C85473DEB@patpro.net> References: <15687116.20110629191119@serebryakov.spb.ru> To: Lev Serebryakov X-Mailer: Apple Mail (2.1084) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: More questions about audit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 20:04:23 -0000 --Apple-Mail-8-358177775 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 29 juin 2011, at 17:11, Lev Serebryakov wrote: > Even more, such command doesn't show anything about user login via > ssh: >=20 > auditreduce -m AUE_login /dev/auditpipe0 | praudit >=20 > Yes, I have "lo" class enabled for all users, and, yes, >=20 > auditreduce -r USER /dev/auditpipe0 | praudit >=20 > shows activity after login... # praudit -l /dev/auditpipe0 header,99,11,OpenSSH login,0,Wed Jun 29 21:21:22 2011, + 603 = msec,subject_ex,*******,text,successful login = patpro,return,success,0,trailer,99, header,481,11,execve(2),0,Wed Jun 29 21:21:22 2011, + 668 msec,exec = arg,-bash,exec env,*******,return,success,0,trailer,481, ../.. header,94,11,logout - local,0,Wed Jun 29 21:21:25 2011, + 328 = msec,subject_ex,*******,text,sshd logout = patpro,return,success,0,trailer,94, You see "OpenSSH login" as event's name. That's what you need to look = for: # grep "OpenSSH login" /etc/security/audit_event=20 32800:AUE_openssh:OpenSSH login:lo so, you must try: # auditreduce -m AUE_openssh /dev/auditpipe0 | praudit But I don't get good results with that command. It looks like = auditreduce wait for a good amount of events before sending the result = to stdout. This will show your logins : # auditreduce -m AUE_openssh /var/audit/current | praudit patpro --Apple-Mail-8-358177775--