Solved

Authentication and SSH events in audit on AIX

Posted on 2010-08-16
5
1,841 Views
Last Modified: 2013-11-17
Hi

I see there are  two  authentication in AIX, STD_AUTH and PAM_AUTH, I have used pam but no STD. Question:

1.  I see STD is the default, but not sure if is the best. Which is the recommended, pam or std? Pros or cons of using one of both?
2. From this link:
http://www.ibm.com/developerworks/aix/library/au-new_openssh/index.html
I found ssh audit events I'd like to use in my servers:
SSH_failnone = printf "%s"
SSH_failpasswd = printf "%s"
SSH_failkbdint = printf "%s"
SSH_failpubkey = printf "%s"
SSH_failhstbsd = printf "%s"
SSH_failgssapi = printf "%s"
SSH_invldusr = printf "%s"
SSH_nologin = printf "%s"
SSH_connclose = printf "%s"
SSH_auditknwn = printf "%s"
SSH_authsuccess = printf "%s"
SSH_rootdned = printf "%s"
SSH_exceedmtrix = printf "%s"
SSH_connabndn = printf "%s"

I added to my config I can see these events running on my AIX 6.1. Are these events part of audit on AIX6.1 Or shoud I add extra audit config?
0
Comment
Question by:sminfo
  • 3
  • 2
5 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 33444977
Hello again,
1. When using PAM you'll get the flexibility to switch to alternate authentication mechanisms without modifying existing applications - the PAM library is a standard interface between applications and authentication modules. You can even use multiple authentication methods for a given service, re-using a previously entered password for all methods.
As long as you're using the standard modules (as opposed to some third-party modules), there is not much difference between PAM and STD, however.
pam_aix will just call the classic AIX authentication routines, or the DCE/NIS routines from methods.cfg, if configured via "SYSTEM=..." in /etc/security/user. The advantage of PAM is, as I said above, that you can switch to (maybe) better methods without having to mofify anything else than some config files.
2. Where is your problem? Just create a new audit class containing the sshd events, assign this class to the users you desire, and finally update the events file to store/display the audit entries correctly. Don't forget to shutdown/restart the audit subsystem
IBM-supported versions of SSH from OpenSSH-4.5p1 (4.5.0.5302) onwards are aware of auditing and will generate the appropriate events, if enabled (see above).
PAM and AUDIT are not related to each other, btw.
wmp
0
 

Author Closing Comment

by:sminfo
ID: 33445258
Hi wmp,

1. OK
2. My problem, I want to audit or monitor logins/logoff using sshd on every AIX server. O get logins fine but no logoff events. I also need  to monitor on syslog dtlogin logins/logouts.

ssh version:
# lslpp -L  | grep ssh
  openssh.base.client     5.2.0.5301    C     F    Open Secure Shell Commands
  openssh.base.server     5.2.0.5301    C     F    Open Secure Shell Server
  openssh.license         4.7.0.5300    C     F    Open Secure Shell License
  openssh.man.en_US       5.2.0.5300    C     F    Open Secure Shell
  openssh.msg.en_US       5.2.0.5300    C     F    Open Secure Shell Messages -

0
 

Author Comment

by:sminfo
ID: 33445603
wmp,

Let me give you more details, I have these services:

services           audit logs/logins        audit logs/logouts         syslog  logs/logins         syslog  logs/logins
Xwindows        USER_Login event             NO                                  NO                              NO
telnetd               USER_Exit event       USER_Exit event                     NO                              NO
sshd                 USER_Login event              NO                                 YES                            NO
su                     USER_SU                           NA                                  YES                            NA

In a couple of weeks telnet is an option on our servers, so I need at least sshd/xwindows logins/logout even on audit or syslog. Am I asking too much? :-)

thanks once more.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 33463534
OK,
with my version of sshd, which is 4.7.0.5300, everything works fine using the mehod we're talking about here.
I get audit messages like
SSH_failnone root OK Wed Aug 18 11:50:47 2010 sshd Global
SSH_authsuccess root OK Wed Aug 18 11:50:47 2010 sshd Global
SSH_connclose root OK Wed Aug 18 11:50:59 2010 sshd Global
 or also
SSH_invldusr    root     OK          Wed Aug 18 13:22:47 2010 sshd                            Global
SSH_invldusr    root     OK          Wed Aug 18 13:22:47 2010 sshd                            Global
SSH_failnone    root     OK          Wed Aug 18 13:22:47 2010 sshd                            Global
SSH_failpasswd  root     OK          Wed Aug 18 13:22:52 2010 sshd                            Global
SSH_failpasswd  root     OK          Wed Aug 18 13:23:00 2010 sshd                            Global
SSH_failpasswd  root     OK          Wed Aug 18 13:23:01 2010 sshd                            Global
SSH_connabndn   root     OK          Wed Aug 18 13:23:01 2010 sshd                            Global
SSH_connclose   root     OK          Wed Aug 18 13:23:34 2010 sshd                            Global
For testing I upgraded one of my machines to your sshd version (5.2.0.5301) and really had to notice that it doesn't work anymore.
I researched, but didn't find the slightest hint, neither at IBM's nor at any other forum.
So all I can say is ... downgrade, if you really need to audit sshd.
sshd for aix (all available versions) can be found here - http://sourceforge.net/projects/openssh-aix/files/
Still researching on X11. Never had to deal with that up to now, sorry!
wmp
 
0
 

Author Comment

by:sminfo
ID: 33463735
umm.. I see.. ..ok thanks..:-)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question