sminfo
asked on
login/logoff over sshd and xwindows on AIX5.x and 6x
Hi,
I see when a user login on AIX using sshd, or xwindows, it logs an entry on syslog.log and AUDIT logs. But when user, type 'exit', or Ctrl+D, or close the window it doesn't appear on both logs. How can I fix it?
I see when a user login on AIX using sshd, or xwindows, it logs an entry on syslog.log and AUDIT logs. But when user, type 'exit', or Ctrl+D, or close the window it doesn't appear on both logs. How can I fix it?
The logoff info is in accounting not auditing. These log yre usually generated daily.
Try edit your /etc/security/audit/config like
start:
binmode = on
streammode = off
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmd s
freespace = 65536
stream:
cmds = /etc/security/audit/stream cmds
classes:
loginout = USER_Login,TERM_Logout,USE R_Exit,USE R_Logout,P ROC_Execut e
users:
default = loginout
Then issue audit shutdown and audit start for apply changes.
Hope this help
start:
binmode = on
streammode = off
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmd
freespace = 65536
stream:
cmds = /etc/security/audit/stream
classes:
loginout = USER_Login,TERM_Logout,USE
users:
default = loginout
Then issue audit shutdown and audit start for apply changes.
Hope this help
ASKER
Hi, this is my config file:
classes:
general = USER_SU,PASSWORD_Change,US ER_Login,U SER_Exit,U SER_Logout ,USER_Crea te,USER_Re move,GROUP _Create,GR OUP_Remove ,USER_Chan ge,USER_Se tEnv,GROUP _User,GROU P_Adms,GRO UP_Change, GROUP_Crea te,GROUP_R emove,DEV_ Configure, DEV_Change ,INSTALLP_ Inst,INSTA LLP_Exec,U SER_Shell, USER_Reboo t,TERM_Log out
But I only have logins/logout log on telnetd, in sshd and xwindows I only get logins but no logoff. I need to trace logoff sshd and xwindows using any way.
classes:
general = USER_SU,PASSWORD_Change,US
But I only have logins/logout log on telnetd, in sshd and xwindows I only get logins but no logoff. I need to trace logoff sshd and xwindows using any way.
Hi again,
for remote sshd sessions you should see the audit event TCP_kclose (if configured) at end-of session.
Not sure if this works for X sessions as well.
Will check.
wmp
for remote sshd sessions you should see the audit event TCP_kclose (if configured) at end-of session.
Not sure if this works for X sessions as well.
Will check.
wmp
I think it will work with X sessions, cause X operates over TCP, but you will get so much events when set TCP_kclose. Maybe that's the problem too.
ASKER
Hi wmp, glad to hear from you again :-)
Talking about X sessions, do you know what do I have to configure on CDE to get dtlogins logs on syslog.conf?
Talking about X sessions, do you know what do I have to configure on CDE to get dtlogins logs on syslog.conf?
ASKER
I don't know why logoff is an event as on linux as below:
login:
Aug 13 15:35:19 linux sshd[4739]: Accepted password for root from 192.168.12.36 port 2154 ssh2
Aug 13 15:35:19 linux sshd[4739]: pam_unix(sshd:session): session opened for user root by (uid=0)
logoff:
Aug 13 15:35:23 linux sshd[4739]: pam_unix(sshd:session): session closed for user root
regarding X windows, I think (I haven't found yet) a way to log to syslog success/failed dtlogin or other event which tell me when a user login/logoff using this application.
login:
Aug 13 15:35:19 linux sshd[4739]: Accepted password for root from 192.168.12.36 port 2154 ssh2
Aug 13 15:35:19 linux sshd[4739]: pam_unix(sshd:session): session opened for user root by (uid=0)
logoff:
Aug 13 15:35:23 linux sshd[4739]: pam_unix(sshd:session): session closed for user root
regarding X windows, I think (I haven't found yet) a way to log to syslog success/failed dtlogin or other event which tell me when a user login/logoff using this application.
Can you show two line from /etc/ssh/sshd_config from you AIX box and your linux box:
SyslogFacility .....
LogLevel .....
SyslogFacility .....
LogLevel .....
ASKER
They are commented now, but I tried with SyslogFacility AUTHPRIV and it shows a log when sshd connection is close, I think it should be similar to TCP_kclose.
Yes, but it's specific for sshd. If you want a little more info for this sshd session, set LogLevel to VERBOSE.
So, only X Windows to go.
So, only X Windows to go.
Did you use dtlogin with pam or traditional unix login and auditing. If not use pam, you can use pam with debug to see you can archive what you want or not.
Edit /etc/pam.conf:
dtlogin auth required /usr/lib/security/pam_aix debug
dtlogin account required /usr/lib/security/pam_aix
dtlogin password required /usr/lib/security/pam_aix
dtlogin session required /usr/lib/security/pam_aix debug
Edit /etc/pam.conf:
dtlogin auth required /usr/lib/security/pam_aix debug
dtlogin account required /usr/lib/security/pam_aix
dtlogin password required /usr/lib/security/pam_aix
dtlogin session required /usr/lib/security/pam_aix debug
ASKER
Sorry the delay thetmanvn,
How can I know if dtlogin is using pam or not? I add these lines you told me to pam.conf but syslog doesn't show any trace of dtlogin.
How can I know if dtlogin is using pam or not? I add these lines you told me to pam.conf but syslog doesn't show any trace of dtlogin.
Hi sminfo,
Check and modify the value of the auth_type attribute in the usw stanza of the /etc/security/login.cfg file to PAM_AUTH.
Check and modify the value of the auth_type attribute in the usw stanza of the /etc/security/login.cfg file to PAM_AUTH.
ASKER
OK, I'll try.. do you know which method is best? PAM or STD?
thanks
thanks
ASKER
Well, I have not been able to trace logoff and logouts on syslogd when using sshd or xwindows. Any other idea about this?
Thanks.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.