root@scona (Corey Wirun) (02/15/91)
There seems to be a problem getting proper auditting
on the RS. I took the default /etc/security/audit/config file
and took out all the classes that were defined (e.g. general, etc)
and added one of my own:
INOUT = USER_Login, USER_Logout
As well, I added to the 'users' stanza my login name:
corey = INOUT
Well, did you think this would work? Nooooo. When auditting is enabled
(i.e. audit start) I get several K of audit within the first few
seconds....and 'corey' is not even logged on yet. The audit stuff that
is recorded is all for 'root'.
By doing a 'audit query' I was able to determine just what has been
auditted. My INOUT class was there, and a 'ALL' class was there with
all the audit events in it! (reason why I'm getting auditting on ALL
events!!! I did not define 'ALL' anywhere.)
IBM was somewhat useful. The reason that my INOUT class didn't pick
up anything was because I was using TELNET to log in. It seems that
you need to audit 'telnetd' or 'rlogind' (if using rlogin) to pick
up user login events.
They were at a loss to figure out what that 'ALL' class was though.....
---------------------------------------------------------------------------
"This, of course, is impossible..." - Hitchhiker's Guide to the Galaxy
Corey Wirun, BSc - Systems Analyst, Esso Petroleum Canada,
Strathcona Refinery. Edmonton, Alberta
root@scona.UUCP || cwirun@uncanet.BITNET || cwirun@ucnet.ucalgary.ca
---------------------------------------------------------------------------