QUESTION: auditd setup

QUESTION: auditd setup

Post by Mark Addina » Tue, 23 Apr 1996 04:00:00



When auditing is enabled for the default events, and then i generate a report
on login activity, I notice that login attempts by usernames which don't exist
only come out in the generated report as "Username: < bad >", instead of
telling me what name tried to log in. I am using the default report template
known as "login.action".

Is there any way of finding out what user name the attempted login was made
under, using the audit config?

If you can help, please reply by _EMAIL_
to


thanks,

ray

 
 
 

QUESTION: auditd setup

Post by Bela Lubki » Thu, 25 Apr 1996 04:00:00



Quote:> When auditing is enabled for the default events, and then i generate a report
> on login activity, I notice that login attempts by usernames which don't exist
> only come out in the generated report as "Username: < bad >", instead of
> telling me what name tried to log in. I am using the default report template
> known as "login.action".

> Is there any way of finding out what user name the attempted login was made
> under, using the audit config?

No.  This is deliberate.  It's pretty easy to get confused and enter
your password at the login: prompt (suppose your Return key skips).
Logging attempted login names can cause a trail of correct passwords to
be logged, which is an invitation for someone to go snooping in your
logs.

(I suppose it could log names which were correct login names on the
local system, while continuing to report anything else as "bad"...)

Quote:>Bela<


 
 
 

1. auditd question?

I am running sco3.2v 5.0.5 with appox 25 users.  I was looking for a way to
reduce some of my disk space and I saw the directory /tcb/audittmp/audit1.
In it is a couple  hundred one meg files like this:

-rw-rw----   1 audit    audit    1001175 Jun 19  1999 CAF00001.00000
-rw-rw----   1 audit    audit    1000976 Jun 21  1999 CAF00001.00001
-rw-rw----   1 audit    audit    1000954 Jun 21  1999 CAF00001.00002

Why is audit generating so many of these files?
Is it ok to get rid of them?

Any answers would be appreciated.

Greg

2. Fetchmail to distribute common mailbox

3. Question about Solaris BSM and Auditd

4. 2.4.17-pre2

5. Log file for BSM (auditd)

6. Xpmac on a WallstreetII

7. Solaris 2.5.1 and auditd

8. 9042 too many Cylinders for slakware?

9. ssh and auditd

10. auditd available for linux???

11. AUDITD

12. auditd, cron, ssh...

13. monitoring auditd