[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

login/logoff over sshd and xwindows on AIX5.x and 6x

Posted on 2010-08-13
17
Medium Priority
?
916 Views
Last Modified: 2013-11-17
Hi,

I see when a user login on AIX using sshd, or xwindows, it logs an entry on syslog.log and AUDIT logs. But when user, type 'exit', or Ctrl+D, or close the window it doesn't appear on both logs. How can I fix it?
0
Comment
Question by:sminfo
  • 7
  • 6
  • 3
  • +1
17 Comments
 
LVL 9

Expert Comment

by:Tomas Valenta
ID: 33428354
The logoff info is in accounting not auditing. These log yre usually generated daily.
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33428486
Try edit your /etc/security/audit/config like

start:
        binmode = on
        streammode = off

bin:
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
        freespace = 65536

stream:
        cmds = /etc/security/audit/streamcmds

classes:
        loginout = USER_Login,TERM_Logout,USER_Exit,USER_Logout,PROC_Execute

users:
        default = loginout


Then issue audit shutdown and audit start for apply changes.

Hope this help


0
 

Author Comment

by:sminfo
ID: 33428692
Hi, this is my config file:

classes:
        general = USER_SU,PASSWORD_Change,USER_Login,USER_Exit,USER_Logout,USER_Create,USER_Remove,GROUP_Create,GROUP_Remove,USER_Change,USER_SetEnv,GROUP_User,GROUP_Adms,GROUP_Change,GROUP_Create,GROUP_Remove,DEV_Configure,DEV_Change,INSTALLP_Inst,INSTALLP_Exec,USER_Shell,USER_Reboot,TERM_Logout

But I only have logins/logout log on telnetd, in sshd and xwindows I only get logins but no logoff. I need to trace logoff sshd and xwindows using any way.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 33429054
Hi again,

for remote sshd sessions you should see the audit event TCP_kclose (if configured) at end-of session.

Not sure if this works for X sessions as well.
Will check.

wmp
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33429165
I think it will work with X sessions, cause X operates over TCP, but you will get so much events when set TCP_kclose. Maybe that's the problem too.
0
 

Author Comment

by:sminfo
ID: 33429184
Hi wmp, glad to hear from you again :-)

Talking about X sessions, do you know what do I have to configure on CDE to get dtlogins logs on syslog.conf?
0
 

Author Comment

by:sminfo
ID: 33429399
I don't know why logoff is an event as on linux as below:

login:
Aug 13 15:35:19 linux sshd[4739]: Accepted password for root from 192.168.12.36 port 2154 ssh2
Aug 13 15:35:19 linux sshd[4739]: pam_unix(sshd:session): session opened for user root by (uid=0)

logoff:
Aug 13 15:35:23 linux sshd[4739]: pam_unix(sshd:session): session closed for user root

regarding X windows, I think (I haven't found yet) a way to log to syslog success/failed dtlogin or other event which tell me when a user login/logoff using this application.
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33429530
Can you show two line from /etc/ssh/sshd_config from you AIX box and your linux box:

SyslogFacility .....
LogLevel .....


0
 

Author Comment

by:sminfo
ID: 33429724

They are commented now, but I tried with SyslogFacility AUTHPRIV and it shows a log when sshd  connection is close, I think it should be similar to TCP_kclose.
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33429763
Yes, but it's specific for sshd. If you want a little more info for this sshd session, set LogLevel to VERBOSE.

So, only X Windows to go.
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33430150
Did you use dtlogin with pam or traditional unix login and auditing. If not use pam, you can use pam with debug to see you can archive what you want or not.

Edit /etc/pam.conf:

dtlogin        auth               required       /usr/lib/security/pam_aix debug
  dtlogin        account            required       /usr/lib/security/pam_aix
  dtlogin        password           required       /usr/lib/security/pam_aix
  dtlogin        session            required       /usr/lib/security/pam_aix debug

0
 

Author Comment

by:sminfo
ID: 33443683
Sorry the delay thetmanvn,

How can I know if dtlogin is using pam or not? I add these lines you told me to pam.conf but syslog doesn't show any trace of dtlogin.
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33443854
Hi sminfo,

Check and modify the value of the auth_type attribute in the usw stanza of the /etc/security/login.cfg file to PAM_AUTH.
0
 

Author Comment

by:sminfo
ID: 33444217
OK, I'll try.. do you know which method is best? PAM or STD?

thanks
0
 

Author Comment

by:sminfo
ID: 33463398
Well, I have not been able to trace logoff and logouts on syslogd when using sshd or xwindows. Any other idea about this?

Thanks.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 2000 total points
ID: 33463552
As for sshd -see our other thread. openssh 4.7.0.5300 works, openssh 5.2.0.5300 doesn't.
Xwindows still to come ...
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 2000 total points
ID: 33463754
It seems that dtlogin is not auditing capable -
The dtlogin command is a login service enabled by PAM with service name dtlogin. The dtlogin client supports PAM authentication in addition to traditional local UNIX login and auditing. Additional authentication or auditing functions, such as Kerberos or B1 can be added by individual vendors.
http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=/com.ibm.aix.cmds/doc/aixcmds2/dtlogin.htm
There doesn't seem to be a particular syslog capability either.
What you could do is to take care that at least starting a shell is logged, by replacing the default action "Terminal" with an own action, starting a dtterm with the "-ls" flag, which will force dtterm to run a login shell.
 
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses
Course of the Month19 days, 19 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question