Rob Sandifer wrote: > Thanks for the "heads-up" on the security-discuss group! > > To answer your question, I am interested in logging telnet > logon/authentication events. Thanks!
Using Solaris Auditing to log detailed information about all logins: Turn on Solaris Auditing using /etc/security/bsmconv If you are only interested in login data then specify only the class `lo` on the flags: line of /etc/security/audit_control. An example successful event for a remote login to a machine braveheart from a machine called hepcat: | header,81,2,login - rlogin,,Wed Aug 27 09:46:53 1997, + 511485295 msec | subject,darrenm,darrenm,techies,darrenm,techies,10100,10100,24 5 hepcat | text,successful login An example failed login event when comming in via ftp from netwon: | header,77,2,ftp access,,Wed Sep 03 16:56:30 1997, + 712178483 msec | subject,darrenm,darrenm,techies,darrenm,techies,1200,1200,0 20 newton | text,bad password | return,failure,1 Simialar records are generated for local logins, telnet, rlogin, rsh, rexec, and ftp, ssh, scp, sftp To find all of the login events for user darrenm in December 1997: # auditreduce -a 19971201 -b +31d -u darrenm -c lo | praudit If you only wish to log the failed events then specify -lo eg. flags: -lo Note: Solaris Auditing is not resticted to information about logins, for more information see the Solaris Auditing section in docs.sun.com and read the following manual pages: audit_control(4), auditreduce(1M), praudit(1M), auditd(1M), bsmconv(1M) See http://docs.sun.com/app/docs/doc/816-4557/auditplan-6?a=view -- Darren J Moffat _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org