HPE Community
Operating System - HP-UX
1834277 Members
2292 Online
110066 Solutions
New Discussion

Re: the problem of audit log info

 
tweeg_nee
New Member

‎08-03-2009 03:13 AM

‎08-03-2009 03:13 AM

the problem of audit log info

when invalid user login failed with ssh, there is no user name in audit log file

for example:

090723 18:14:29 1286 F 9218 2458 -1 0 0 0 0 ?????
[ Event=login; User=????????; Real Grp=root; Eff.Grp=root; ]

SELF-AUDITING TEXT: User= (invalid user invalid user - ssh login denied
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


next is the failure log with other reason, name is following with User= :

090723 18:17:50 7083 F 9218 7033 103 0 3 0 3 ?????
[ Event=login; User=foobar; Real Grp=sys; Eff.Grp=sys; ]

SELF-AUDITING TEXT: User= foobar uid=6003 audid=103 ssh authentication method KBDINT - failed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


the content of /etc/rc.config.d/auditing
AUDITING=1
PRI_AUDFILE=/XXXXXXXXXXXXXXXXXXXXXXX
PRI_SWITCH=1048576
SEC_AUDFILE=
SEC_SWITCH=
AUDEVENT_ARGS1=" -p -F -e login"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 20 -t 1 -w 90"

how to config the auditing file to show user name that had been tried.
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

‎08-03-2009 04:53 AM

‎08-03-2009 04:53 AM

Re: the problem of audit log info

Shalom,

Likely this problem is from trying to log in no user at all or inputing unprintable characters instead of the user name.

You might compare it to lastb output to see if you can get more information.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
tweeg_nee
New Member

‎08-03-2009 05:19 AM

‎08-03-2009 05:19 AM

Re: the problem of audit log info

thanks Steven E. Protter, answered so quickly

but the format of lastb is like blow

XXXXX pts/tz Fri Aug 22 07:09
XXXXX pts/tx Fri Aug 22 05:10
XXXXX pts/tx Fri Aug 22 04:35
XXXXX pts/tm Fri Aug 22 02:06
XXXXX remshd Thu Aug 21 13:39
XXXXX pts/to Thu Aug 21 10:10

the precision of time is different with audit file
090723 18:14:29

direct comparing will be inexact.
I test ssh login in a linux system.

user name that does not exist in system will be outputted in audit file too.

type=USER_LOGIN msg=audit(07/31/09 03:49:42.491:70) :
user pid=8728 uid=root auid=unset subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023
msg='acct=test_user <------ user name (does not exist)
exe=/usr/sbin/sshd (hostname=?, addr=192.168.41.1, terminal=sshd res=failed)'

so, i want to know, is there some options can be used to show the user name that someone tried through ssh.

PS, if someone use telnet to login, the name even that does not exist will be output exactly.
0 Kudos
Reply
VK2COT
Honored Contributor

‎08-04-2009 02:14 AM

‎08-04-2009 02:14 AM

Re: the problem of audit log info

Hello,

a) The auditing logging works fine when
you use the following profile in
/etc/rc.config.d/auditing but you have to
search for complete records of the failed attempt:

AUDEVENT_ARGS1="-P -F -r basic"

Here is the proof from audmon(1M) (I used ssh with invalid login name "zzz"):

-------------------------------------------
--------------------------------------------------------------------
Event: setaudproc
Time: Tue Aug 04 05:59:49 09 EDT
PID: 21466
PPID: 1016
User/Grp: 0/0(root/root)
Effective privileges: "BASIC"
Permitted privileges: "BASIC"
Retained privileges: "BASIC"
Audit tag: 0: -1:(invalid user):200908040959
TTY: (none)
Return1: 0
Arg 1 (int): 1
-------------------------------------------
Event: login
Time: Tue Aug 04 05:59:49 09 EDT
PID: 21466
PPID: 1016
User/Grp: 0/0(root/root)
Effective privileges: "BASIC"
Permitted privileges: "BASIC"
Retained privileges: "BASIC"
Audit tag: 0: -1:(invalid user):200908040959
TTY: (none)
Error: 1-Not owner
SELF-AUDITING TEXT:
User= (invalid user invalid user - ssh login denied
--------------------------------------------------------------------
--------------------------------------------------------------------
Event: execve
Time: Tue Aug 04 05:59:49 09 EDT
PID: 21465
PPID: 21304
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm
), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: "BASIC"
Permitted privileges: "BASIC"
Retained privileges: "BASIC"
Audit tag: 0: -1:root:200908040952
TTY: unknown
Return1: 0
Arg 1 (file info):
given path = "/usr/bin/ssh"
inode = 36450
device = 64, 0x6
mode = 0100755
owner uid/gid = 2/2
type = regular file
Arg 2 (argument list):
arg #1 = "ssh"
arg #2 = "localhost"
arg #3 = "-l"
arg #4 = "zzz"
Other (file info):
inode = -1
--------------------------------------------------------------------

b) Even without auditing, standard Unix tools
provide logs:

# lastb | grep zzz
zzz ssh:notty Tue Aug 4 06:00
zzz ssh:notty Tue Aug 4 06:00
zzz ssh:notty Tue Aug 4 06:00
zzz ssh:notty Tue Aug 4 06:00
zzz ssh:notty Tue Aug 4 05:59
zzz ssh:notty Tue Aug 4 05:59
zzz ssh:notty Tue Aug 4 05:53
zzz ssh:notty Tue Aug 4 05:53
zzz ssh:notty Tue Aug 4 05:53
zzz ssh:notty Tue Aug 4 05:53
zzz ssh:notty Tue Aug 4 05:52
zzz ssh:notty Tue Aug 4 05:52

# grep zzz /var/adm/syslog/syslog.log
Aug 4 05:52:50 rx16-240 sshd[21319]: Invalid user zzz from 127.0.0.1
Aug 4 05:52:50 rx16-240 sshd[21319]: Failed none for invalid user zzz from 127.0.0.1 port 62245 ssh2
Aug 4 05:52:54 rx16-240 sshd[21319]: error: PAM: No account present for user for illegal user zzz from 127.0.0.1
Aug 4 05:52:54 rx16-240 sshd[21319]: Failed keyboard-interactive/pam for invalid user zzz from 127.0.0.1 port 62245 ssh2
Aug 4 05:53:02 rx16-240 sshd[21319]: Failed password for invalid user zzz from 127.0.0.1 port 62245 ssh2

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
VK2COT
Honored Contributor

‎08-04-2009 02:24 AM

‎08-04-2009 02:24 AM

Re: the problem of audit log info

And one more note to clarify things:

# audisp -e exec /var/.audit/audtrail

... will show you a failed login name with
ssh (in example below it was user "blah"):

--------------------------------------------------------------------
Event: execve
Time: Tue Aug 04 06:20:43 09 EDT
PID: 21905
PPID: 21304
User/Grp: 0/3(root/sys)
Groups: 3(sys), 0(root), 1(other), 2(bin), 4(adm
), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges: "BASIC"
Permitted privileges: "BASIC"
Retained privileges: "BASIC"
Audit tag: 0: -1:root:200908040952
TTY: unknown
Return1: 0
Arg 1 (file info):
given path = "/usr/bin/ssh"
inode = 36450
device = 64, 0x6
mode = 0100755
owner uid/gid = 2/2
type = regular file
Arg 2 (argument list):
arg #1 = "ssh"
arg #2 = "blah@localhost"
Other (file info):
inode = -1
--------------------------------------------------------------------

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.