login/logoff over sshd and xwindows on AIX5.x and 6x

Hi,

I see when a user login on AIX using sshd, or xwindows, it logs an entry on syslog.log and AUDIT logs. But when user, type 'exit', or Ctrl+D, or close the window it doesn't appear on both logs. How can I fix it?
sminfoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tomas ValentaIT ManagerCommented:
The logoff info is in accounting not auditing. These log yre usually generated daily.
0
thetmanvnCommented:
Try edit your /etc/security/audit/config like

start:
        binmode = on
        streammode = off

bin:
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
        freespace = 65536

stream:
        cmds = /etc/security/audit/streamcmds

classes:
        loginout = USER_Login,TERM_Logout,USER_Exit,USER_Logout,PROC_Execute

users:
        default = loginout


Then issue audit shutdown and audit start for apply changes.

Hope this help


0
sminfoAuthor Commented:
Hi, this is my config file:

classes:
        general = USER_SU,PASSWORD_Change,USER_Login,USER_Exit,USER_Logout,USER_Create,USER_Remove,GROUP_Create,GROUP_Remove,USER_Change,USER_SetEnv,GROUP_User,GROUP_Adms,GROUP_Change,GROUP_Create,GROUP_Remove,DEV_Configure,DEV_Change,INSTALLP_Inst,INSTALLP_Exec,USER_Shell,USER_Reboot,TERM_Logout

But I only have logins/logout log on telnetd, in sshd and xwindows I only get logins but no logoff. I need to trace logoff sshd and xwindows using any way.
0
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

woolmilkporcCommented:
Hi again,

for remote sshd sessions you should see the audit event TCP_kclose (if configured) at end-of session.

Not sure if this works for X sessions as well.
Will check.

wmp
0
thetmanvnCommented:
I think it will work with X sessions, cause X operates over TCP, but you will get so much events when set TCP_kclose. Maybe that's the problem too.
0
sminfoAuthor Commented:
Hi wmp, glad to hear from you again :-)

Talking about X sessions, do you know what do I have to configure on CDE to get dtlogins logs on syslog.conf?
0
sminfoAuthor Commented:
I don't know why logoff is an event as on linux as below:

login:
Aug 13 15:35:19 linux sshd[4739]: Accepted password for root from 192.168.12.36 port 2154 ssh2
Aug 13 15:35:19 linux sshd[4739]: pam_unix(sshd:session): session opened for user root by (uid=0)

logoff:
Aug 13 15:35:23 linux sshd[4739]: pam_unix(sshd:session): session closed for user root

regarding X windows, I think (I haven't found yet) a way to log to syslog success/failed dtlogin or other event which tell me when a user login/logoff using this application.
0
thetmanvnCommented:
Can you show two line from /etc/ssh/sshd_config from you AIX box and your linux box:

SyslogFacility .....
LogLevel .....


0
sminfoAuthor Commented:

They are commented now, but I tried with SyslogFacility AUTHPRIV and it shows a log when sshd  connection is close, I think it should be similar to TCP_kclose.
0
thetmanvnCommented:
Yes, but it's specific for sshd. If you want a little more info for this sshd session, set LogLevel to VERBOSE.

So, only X Windows to go.
0
thetmanvnCommented:
Did you use dtlogin with pam or traditional unix login and auditing. If not use pam, you can use pam with debug to see you can archive what you want or not.

Edit /etc/pam.conf:

dtlogin        auth               required       /usr/lib/security/pam_aix debug
  dtlogin        account            required       /usr/lib/security/pam_aix
  dtlogin        password           required       /usr/lib/security/pam_aix
  dtlogin        session            required       /usr/lib/security/pam_aix debug

0
sminfoAuthor Commented:
Sorry the delay thetmanvn,

How can I know if dtlogin is using pam or not? I add these lines you told me to pam.conf but syslog doesn't show any trace of dtlogin.
0
thetmanvnCommented:
Hi sminfo,

Check and modify the value of the auth_type attribute in the usw stanza of the /etc/security/login.cfg file to PAM_AUTH.
0
sminfoAuthor Commented:
OK, I'll try.. do you know which method is best? PAM or STD?

thanks
0
sminfoAuthor Commented:
Well, I have not been able to trace logoff and logouts on syslogd when using sshd or xwindows. Any other idea about this?

Thanks.
0
woolmilkporcCommented:
As for sshd -see our other thread. openssh 4.7.0.5300 works, openssh 5.2.0.5300 doesn't.
Xwindows still to come ...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
woolmilkporcCommented:
It seems that dtlogin is not auditing capable -
The dtlogin command is a login service enabled by PAM with service name dtlogin. The dtlogin client supports PAM authentication in addition to traditional local UNIX login and auditing. Additional authentication or auditing functions, such as Kerberos or B1 can be added by individual vendors.
http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=/com.ibm.aix.cmds/doc/aixcmds2/dtlogin.htm
There doesn't seem to be a particular syslog capability either.
What you could do is to take care that at least starting a shell is logged, by replacing the default action "Terminal" with an own action, starting a dtterm with the "-ls" flag, which will force dtterm to run a login shell.
 
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.