09-09-2013
Problem with structure of authlog in regard to an external log Auditing system.
Hello everyone,
I hope I'm posting my question in the right section as it is not too easy to find the ideal spot for this one, especially for a brandspankingnew user of this forum. As this might be something simple I chose the Dummy section. By all means, feel free to move the post if not at the right place here.
The ArcSight auditing system deployed by my Security department has some troubles interpreting specific records in my managed system's auth_log. When a successful login is done you will see the next (anonimized) record logged in the auth_log:
Sep 9 13:49:49 SYSTEMNAME sshd[1613]: [ID 800047 auth.notice] Failed none for USERNAME from XX.XX.XX.XX port XXXX ssh2
I have marked the problematic piece of the sentence by making it bold. The specific part of the sentence "Failed none" unfortunately starts with "Failed" which makes our auditing system think it is a failed login, while it is a successful login.
Unfortunately a change on ArcSight side is out of the question as my system is apparently the only one using this odd phrasing according to support on that side. Switching off auth.notice is also out of the question because they need to be able to see successful logins, which would be gone if I'd disable auth.notice.
I have been looking into how i can manipulate the message logged in the auth_log, but I have been unable to find a befitting way to tackle this problem.
Systeminfo:
PAM seems to be installed and used
SunOS SYSTEMNAME 5.10 Generic_142900-10 sun4v sparc SUNW,Netra-T5440
The question now of course is, does someone know a way of manipulating this sentence structure without having to hack into the syslogger? I've found references to authentication order changing the logged message, but I have been unable to locate a guide that tells me how to do this.
Thanks in advance for your help guys!
Best regards,
Sjleegketting
The Netherlands
Last edited by Sjleegketting; 09-09-2013 at 09:15 AM..
Reason: forgot a quite important part of the problem.
9 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hi all,
Have been asked to learn up on providing Sytem Auditing on two SCO boxes.
Where should I start and what pointers can anyone provide.
Whilst I'm learning to look after these two SCO boxes, I'm also to eventually look after three Compaq DS20E True64 Unix boxes also in the near future. (2 Replies)
Discussion started by: Cameron
2 Replies
2. UNIX for Dummies Questions & Answers
Hello,
I am having a problem setting a range of numbers for the "case" structure.
I can use with no problems, but
when I use it doesn't work???
Does the case struture allow numeric ranges?
eg:
echo -e "enter number between 0 and 60: \c"
read $answer
case $answer in
) echo... (2 Replies)
Discussion started by: Joe54321
2 Replies
3. Shell Programming and Scripting
I need to check if $1 is A or B
I tried the following but it seems its not correct..would appreciate a suggestion ?
case "$1"
in
"A" || "B" )
;;
esac
Thanks (4 Replies)
Discussion started by: cosec
4 Replies
4. Solaris
dear all
does any one how to activate the log authlog on solaris (3 Replies)
Discussion started by: murad.jaber
3 Replies
5. Shell Programming and Scripting
Hi
When im listing (ls -al ) its listing directories without / at the end of directories
dir1 dir2 dir3
and i need to list directories with
dir1/ dir2/ dir3/ and this should not be made by command ls -F
/ should be embedded at the last
since one of the scripts reads directories... (1 Reply)
Discussion started by: vasanthan
1 Replies
6. Shell Programming and Scripting
I am trying to write a script which has to copy the directory structure from my system to another system on the network. But I dont want the files to be copied.
I think I have to start with copying all subdirectories names in a directory to a system on the network.
Here's the case:
Source... (1 Reply)
Discussion started by: firefox211
1 Replies
7. Programming
Hi,
I have a following problem in C.
I have a function A in which I used to call another function (function B) and pass an array of values through array variable by using below:-
foo=functionB(array);
In functionB, i used to just return some "values" (e.g return num;) in order to pass... (1 Reply)
Discussion started by: ahjiefreak
1 Replies
8. Shell Programming and Scripting
Hello,
I have a Bash script that processes a text file so that the existing file will look something like this:
/www/repository/2010/201002231329532/LTLO_0407.pdf
/www/repository/2010/201002231329532/LTLO_0507.pdf
/www/repository/2010/201002231329532/LTLO_0607.pdf... (1 Reply)
Discussion started by: manouche
1 Replies
9. UNIX for Dummies Questions & Answers
As part of server hardening process i would like to know the Best way of System Logging and Auditing.
Following point should be taken into consideration.
Logging of critical events
Logging access to critical accounts
Secure storage and availability of logs
Review of logs
Security of logs (4 Replies)
Discussion started by: pinga123
4 Replies
LEARN ABOUT REDHAT
pam_stack
pam_stack(8) System Administrator's Manual pam_stack(8)
NAME
pam_stack - recurse into other PAM stacks
SYNOPSIS
auth required /lib/security/pam_stack.so service=foo
session optional /lib/security/pam_stack.so service=foo
password optional /lib/security/pam_stack.so service=foo
account optional /lib/security/pam_stack.so service=foo
DESCRIPTION
In a nutshell, pam_stack lets you "call", from inside of the stack for a particular service, the stack defined for any another service.
The intention is to allow multiple services to "include" a system-wide setup, so that when that setup needs to be changed, it need only be
changed in one place.
ARGUMENTS
debug turns on debugging via syslog(3).
service=name
tells pam_stack.so to execute the stack defined for the service name, which will usually be another file in /etc/pam.d.
EXAMPLE
/etc/pam.d/imap:
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_shells.so
/etc/pam.d/system-auth:
auth sufficient /lib/security/pam_krb5.so
auth sufficient /lib/security/pam_unix.so shadow nullok
auth required /lib/security/pam_deny.so
CAVEAT
Because recursion is fully supported, there is potential to really break things by having a stack call itself either directly or via mutual
recursion.
BUGS
Let's hope not, but if you find any, please email the author.
AUTHOR
Nalin Dahyabhai <nalin@redhat.com>
Red Hat Linux 2001/01/30 pam_stack(8)