Solved

Authentication and SSH events in audit on AIX

Posted on 2010-08-16
5
1,809 Views
Last Modified: 2013-11-17
Hi

I see there are  two  authentication in AIX, STD_AUTH and PAM_AUTH, I have used pam but no STD. Question:

1.  I see STD is the default, but not sure if is the best. Which is the recommended, pam or std? Pros or cons of using one of both?
2. From this link:
http://www.ibm.com/developerworks/aix/library/au-new_openssh/index.html
I found ssh audit events I'd like to use in my servers:
SSH_failnone = printf "%s"
SSH_failpasswd = printf "%s"
SSH_failkbdint = printf "%s"
SSH_failpubkey = printf "%s"
SSH_failhstbsd = printf "%s"
SSH_failgssapi = printf "%s"
SSH_invldusr = printf "%s"
SSH_nologin = printf "%s"
SSH_connclose = printf "%s"
SSH_auditknwn = printf "%s"
SSH_authsuccess = printf "%s"
SSH_rootdned = printf "%s"
SSH_exceedmtrix = printf "%s"
SSH_connabndn = printf "%s"

I added to my config I can see these events running on my AIX 6.1. Are these events part of audit on AIX6.1 Or shoud I add extra audit config?
0
Comment
Question by:sminfo
  • 3
  • 2
5 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 33444977
Hello again,
1. When using PAM you'll get the flexibility to switch to alternate authentication mechanisms without modifying existing applications - the PAM library is a standard interface between applications and authentication modules. You can even use multiple authentication methods for a given service, re-using a previously entered password for all methods.
As long as you're using the standard modules (as opposed to some third-party modules), there is not much difference between PAM and STD, however.
pam_aix will just call the classic AIX authentication routines, or the DCE/NIS routines from methods.cfg, if configured via "SYSTEM=..." in /etc/security/user. The advantage of PAM is, as I said above, that you can switch to (maybe) better methods without having to mofify anything else than some config files.
2. Where is your problem? Just create a new audit class containing the sshd events, assign this class to the users you desire, and finally update the events file to store/display the audit entries correctly. Don't forget to shutdown/restart the audit subsystem
IBM-supported versions of SSH from OpenSSH-4.5p1 (4.5.0.5302) onwards are aware of auditing and will generate the appropriate events, if enabled (see above).
PAM and AUDIT are not related to each other, btw.
wmp
0
 

Author Closing Comment

by:sminfo
ID: 33445258
Hi wmp,

1. OK
2. My problem, I want to audit or monitor logins/logoff using sshd on every AIX server. O get logins fine but no logoff events. I also need  to monitor on syslog dtlogin logins/logouts.

ssh version:
# lslpp -L  | grep ssh
  openssh.base.client     5.2.0.5301    C     F    Open Secure Shell Commands
  openssh.base.server     5.2.0.5301    C     F    Open Secure Shell Server
  openssh.license         4.7.0.5300    C     F    Open Secure Shell License
  openssh.man.en_US       5.2.0.5300    C     F    Open Secure Shell
  openssh.msg.en_US       5.2.0.5300    C     F    Open Secure Shell Messages -

0
 

Author Comment

by:sminfo
ID: 33445603
wmp,

Let me give you more details, I have these services:

services           audit logs/logins        audit logs/logouts         syslog  logs/logins         syslog  logs/logins
Xwindows        USER_Login event             NO                                  NO                              NO
telnetd               USER_Exit event       USER_Exit event                     NO                              NO
sshd                 USER_Login event              NO                                 YES                            NO
su                     USER_SU                           NA                                  YES                            NA

In a couple of weeks telnet is an option on our servers, so I need at least sshd/xwindows logins/logout even on audit or syslog. Am I asking too much? :-)

thanks once more.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 33463534
OK,
with my version of sshd, which is 4.7.0.5300, everything works fine using the mehod we're talking about here.
I get audit messages like
SSH_failnone root OK Wed Aug 18 11:50:47 2010 sshd Global
SSH_authsuccess root OK Wed Aug 18 11:50:47 2010 sshd Global
SSH_connclose root OK Wed Aug 18 11:50:59 2010 sshd Global
 or also
SSH_invldusr    root     OK          Wed Aug 18 13:22:47 2010 sshd                            Global
SSH_invldusr    root     OK          Wed Aug 18 13:22:47 2010 sshd                            Global
SSH_failnone    root     OK          Wed Aug 18 13:22:47 2010 sshd                            Global
SSH_failpasswd  root     OK          Wed Aug 18 13:22:52 2010 sshd                            Global
SSH_failpasswd  root     OK          Wed Aug 18 13:23:00 2010 sshd                            Global
SSH_failpasswd  root     OK          Wed Aug 18 13:23:01 2010 sshd                            Global
SSH_connabndn   root     OK          Wed Aug 18 13:23:01 2010 sshd                            Global
SSH_connclose   root     OK          Wed Aug 18 13:23:34 2010 sshd                            Global
For testing I upgraded one of my machines to your sshd version (5.2.0.5301) and really had to notice that it doesn't work anymore.
I researched, but didn't find the slightest hint, neither at IBM's nor at any other forum.
So all I can say is ... downgrade, if you really need to audit sshd.
sshd for aix (all available versions) can be found here - http://sourceforge.net/projects/openssh-aix/files/
Still researching on X11. Never had to deal with that up to now, sorry!
wmp
 
0
 

Author Comment

by:sminfo
ID: 33463735
umm.. I see.. ..ok thanks..:-)
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now