Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Problem with structure of authlog in regard to an external log Auditing system.
Top Forums UNIX for Dummies Questions & Answers Problem with structure of authlog in regard to an external log Auditing system. Post 302851545 by Sjleegketting on Monday 9th of September 2013 08:03:44 AM
Old 09-09-2013
Tools Problem with structure of authlog in regard to an external log Auditing system.
Hello everyone,

I hope I'm posting my question in the right section as it is not too easy to find the ideal spot for this one, especially for a brandspankingnew user of this forum. As this might be something simple I chose the Dummy section. By all means, feel free to move the post if not at the right place here.

The ArcSight auditing system deployed by my Security department has some troubles interpreting specific records in my managed system's auth_log. When a successful login is done you will see the next (anonimized) record logged in the auth_log:

Sep 9 13:49:49 SYSTEMNAME sshd[1613]: [ID 800047 auth.notice] Failed none for USERNAME from XX.XX.XX.XX port XXXX ssh2

I have marked the problematic piece of the sentence by making it bold. The specific part of the sentence "Failed none" unfortunately starts with "Failed" which makes our auditing system think it is a failed login, while it is a successful login.

Unfortunately a change on ArcSight side is out of the question as my system is apparently the only one using this odd phrasing according to support on that side. Switching off auth.notice is also out of the question because they need to be able to see successful logins, which would be gone if I'd disable auth.notice.

I have been looking into how i can manipulate the message logged in the auth_log, but I have been unable to find a befitting way to tackle this problem.

Systeminfo:
PAM seems to be installed and used
SunOS SYSTEMNAME 5.10 Generic_142900-10 sun4v sparc SUNW,Netra-T5440

The question now of course is, does someone know a way of manipulating this sentence structure without having to hack into the syslogger? I've found references to authentication order changing the logged message, but I have been unable to locate a guide that tells me how to do this.

Thanks in advance for your help guys!

Best regards,

Sjleegketting
The Netherlands
Last edited by Sjleegketting; 09-09-2013 at 09:15 AM.. Reason: forgot a quite important part of the problem.
 

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

System Auditing

Hi all, Have been asked to learn up on providing Sytem Auditing on two SCO boxes. Where should I start and what pointers can anyone provide. Whilst I'm learning to look after these two SCO boxes, I'm also to eventually look after three Compaq DS20E True64 Unix boxes also in the near future. (2 Replies)
Discussion started by: Cameron
2 Replies

2. UNIX for Dummies Questions & Answers

Problem w. case structure

Hello, I am having a problem setting a range of numbers for the "case" structure. I can use with no problems, but when I use it doesn't work??? Does the case struture allow numeric ranges? eg: echo -e "enter number between 0 and 60: \c" read $answer case $answer in ) echo... (2 Replies)
Discussion started by: Joe54321
2 Replies

3. Shell Programming and Scripting

with Regard to Case Statement

I need to check if $1 is A or B I tried the following but it seems its not correct..would appreciate a suggestion ? case "$1" in "A" || "B" ) ;; esac Thanks (4 Replies)
Discussion started by: cosec
4 Replies

4. Solaris

authlog

dear all does any one how to activate the log authlog on solaris (3 Replies)
Discussion started by: murad.jaber
3 Replies

5. Shell Programming and Scripting

problem with listing of directory structure

Hi When im listing (ls -al ) its listing directories without / at the end of directories dir1 dir2 dir3 and i need to list directories with dir1/ dir2/ dir3/ and this should not be made by command ls -F / should be embedded at the last since one of the scripts reads directories... (1 Reply)
Discussion started by: vasanthan
1 Replies

6. Shell Programming and Scripting

copy directory structure to a system on the network

I am trying to write a script which has to copy the directory structure from my system to another system on the network. But I dont want the files to be copied. I think I have to start with copying all subdirectories names in a directory to a system on the network. Here's the case: Source... (1 Reply)
Discussion started by: firefox211
1 Replies

7. Programming

Problem in static structure array in C

Hi, I have a following problem in C. I have a function A in which I used to call another function (function B) and pass an array of values through array variable by using below:- foo=functionB(array); In functionB, i used to just return some "values" (e.g return num;) in order to pass... (1 Reply)
Discussion started by: ahjiefreak
1 Replies

8. Shell Programming and Scripting

Bash script to process file without regard for case

Hello, I have a Bash script that processes a text file so that the existing file will look something like this: /www/repository/2010/201002231329532/LTLO_0407.pdf /www/repository/2010/201002231329532/LTLO_0507.pdf /www/repository/2010/201002231329532/LTLO_0607.pdf... (1 Reply)
Discussion started by: manouche
1 Replies

9. UNIX for Dummies Questions & Answers

Best way of System Logging and Auditing?

As part of server hardening process i would like to know the Best way of System Logging and Auditing. Following point should be taken into consideration. Logging of critical events Logging access to critical accounts Secure storage and availability of logs Review of logs Security of logs (4 Replies)
Discussion started by: pinga123
4 Replies

LEARN ABOUT HPUX

auth.adm

auth.adm(1M)															      auth.adm(1M)

NAME

       auth.adm - activate, deactivate, or query about HP-UX Integrated Login

SYNOPSIS

       tech_name [ tech_name ]
		[ tech_name[:tech_name]... ]
		[ tech_name:parameter=value[:parameter=value]... ]...

   [
       filename ]

DESCRIPTION

       The command makes it easy to activate, deactivate or query about HP-UX Integrated Login.

   During activation,
       sets up a machine to obtain integrated login behavior using any of the following commands: and

   saves the Integrated Login configuration, specified by
       and arguments, in the file This configuration file specifies the authentication technologies used to authenticate users on a system. System
       administrators can specify the technology for system login; where this login technology is unavailable, a fallback  technology  for  system
       login  can  also  be  specified.  System administrators can also specify technologies for additional user authentications that will be done
       after a user has successfully completed the system login phase.

       Integrated behavior of and is obtained by replacing the current with one that specifies the behavior requested by the arguments.   auth.adm
       provides  an  option  of  enabling the nsswitch for DCE technology.  The is updated with "dce" keyword if this option has been selected. In
       this scenario the name service requests for user/group information will be obtained from DCE depending on the configuration.

       After NSS switch is enabled, an option is provided to export the DCE user/group information to and via a cron job.  program could  also	be
       run manually to do this job.

       Upon deactivation, restores files that were present on the system before Integrated Login was installed.  It also removes the configuration
       file.

   When making a query,
       reads the file and prints the result of the query to stdout or to filename specified by the argument.

   All actions performed by
       are logged into the file

ARGUMENTS

       recognizes the following arguments:

		     activates HP-UX Integrated Login.
	      tech_name
		     an abbreviated name representing an authentication technology.  Starting with the 10.0  release,  the  tech_name's  supported
		     are:

		      for DCE Registry

		      for /etc/passwd and other HP-UX login technologies.

	      tech_name
		     specifies the technology used for system login.

	      tech_name
		     specifies the technology used for fallback login.

	      tech_name[:tech_name]...
		     specifies technologies used for additional authentications after a user has been successfully logged in to a system.

	      tech_name:parameter=value[:parameter=value]...
		     specifies	configurable  parameters  applicable  to  a technology.  Parameters for different technologies can be specified by
		     repeating the argument. Starting with the 10.30 release, the configurable parameters supported include the following:

		      Timeout (in seconds) on communications with a technology.
				Default values for TIMEOUT are as follows.

				     180 seconds

				     ignored

		      Password expiration warning period (in days). If the user's password is due to
				expire within the specified number of days, the user receives a  warning  message  during  login.  This  parameter
				applies to DCE technology only.  If this parameter is not specified, no warning is given.

		      Password force-change period (in days). If the user's password is due to
				expire	within	the  specified	number of days, the user is forced to change the password before login is allowed.
				This parameter applies to the DCE technology only.  If this parameter is not specified, a password change  is  not
				forced.

		      Enable DCE TGT to be forwardable.  When forwarding a user's DCE TGT from machine A
				to  machine  B,  it  enables  the user from machine A to reuse its Kerberos credentials on machine B.  A parameter
				value is required, but its content is ignored.	This parameter applies to DCE technology only.

	      deactivates HP-UX Integrated Login.
		     makes a query about the current Integrated Login configuration.
	      filename
		     prints result of a query to filename.

EXAMPLES

       The following command activates HP-UX Integrated Login. The configuration is set to login the user upon successful password verification by
       DCE.  In  the  case where DCE is not available, a fallback for login via /etc/passwd or another HP-UX technology is configured.	(Note that
       this strategy is effective only if the HP-UX password and DCE password are identical.)

   The following command activates HP-UX Integrated Login. The configuration is
       set to login the user upon successful password verification by /etc/passwd or another HP-UX technology.	 After	machine  access  has  been
       granted to the user, the configuration specifies that a DCE login should also be done.

RETURN VALUE

       returns one of the following:

	      Successfully completed

	      Error(s) occurred

WARNING

       If activation or deactivation fails to complete, the error(s) should be corrected and re-execution of the activation/deactivation should be
       done.  cannot deactivate a failed activation.

NOTE

       auth.adm will restart the pwgrd daemon after the ilogin daemon is started, if it was already running.

AUTHOR

       was developed by HP.

FILES

       log file containing records of actions performed by

SEE ALSO

																      auth.adm(1M)
All times are GMT -4. The time now is 11:24 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy