Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Problem with structure of authlog in regard to an external log Auditing system.
Top Forums UNIX for Dummies Questions & Answers Problem with structure of authlog in regard to an external log Auditing system. Post 302851545 by Sjleegketting on Monday 9th of September 2013 08:03:44 AM
Old 09-09-2013
Tools Problem with structure of authlog in regard to an external log Auditing system.
Hello everyone,

I hope I'm posting my question in the right section as it is not too easy to find the ideal spot for this one, especially for a brandspankingnew user of this forum. As this might be something simple I chose the Dummy section. By all means, feel free to move the post if not at the right place here.

The ArcSight auditing system deployed by my Security department has some troubles interpreting specific records in my managed system's auth_log. When a successful login is done you will see the next (anonimized) record logged in the auth_log:

Sep 9 13:49:49 SYSTEMNAME sshd[1613]: [ID 800047 auth.notice] Failed none for USERNAME from XX.XX.XX.XX port XXXX ssh2

I have marked the problematic piece of the sentence by making it bold. The specific part of the sentence "Failed none" unfortunately starts with "Failed" which makes our auditing system think it is a failed login, while it is a successful login.

Unfortunately a change on ArcSight side is out of the question as my system is apparently the only one using this odd phrasing according to support on that side. Switching off auth.notice is also out of the question because they need to be able to see successful logins, which would be gone if I'd disable auth.notice.

I have been looking into how i can manipulate the message logged in the auth_log, but I have been unable to find a befitting way to tackle this problem.

Systeminfo:
PAM seems to be installed and used
SunOS SYSTEMNAME 5.10 Generic_142900-10 sun4v sparc SUNW,Netra-T5440

The question now of course is, does someone know a way of manipulating this sentence structure without having to hack into the syslogger? I've found references to authentication order changing the logged message, but I have been unable to locate a guide that tells me how to do this.

Thanks in advance for your help guys!

Best regards,

Sjleegketting
The Netherlands
Last edited by Sjleegketting; 09-09-2013 at 09:15 AM.. Reason: forgot a quite important part of the problem.
 

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

System Auditing

Hi all, Have been asked to learn up on providing Sytem Auditing on two SCO boxes. Where should I start and what pointers can anyone provide. Whilst I'm learning to look after these two SCO boxes, I'm also to eventually look after three Compaq DS20E True64 Unix boxes also in the near future. (2 Replies)
Discussion started by: Cameron
2 Replies

2. UNIX for Dummies Questions & Answers

Problem w. case structure

Hello, I am having a problem setting a range of numbers for the "case" structure. I can use with no problems, but when I use it doesn't work??? Does the case struture allow numeric ranges? eg: echo -e "enter number between 0 and 60: \c" read $answer case $answer in ) echo... (2 Replies)
Discussion started by: Joe54321
2 Replies

3. Shell Programming and Scripting

with Regard to Case Statement

I need to check if $1 is A or B I tried the following but it seems its not correct..would appreciate a suggestion ? case "$1" in "A" || "B" ) ;; esac Thanks (4 Replies)
Discussion started by: cosec
4 Replies

4. Solaris

authlog

dear all does any one how to activate the log authlog on solaris (3 Replies)
Discussion started by: murad.jaber
3 Replies

5. Shell Programming and Scripting

problem with listing of directory structure

Hi When im listing (ls -al ) its listing directories without / at the end of directories dir1 dir2 dir3 and i need to list directories with dir1/ dir2/ dir3/ and this should not be made by command ls -F / should be embedded at the last since one of the scripts reads directories... (1 Reply)
Discussion started by: vasanthan
1 Replies

6. Shell Programming and Scripting

copy directory structure to a system on the network

I am trying to write a script which has to copy the directory structure from my system to another system on the network. But I dont want the files to be copied. I think I have to start with copying all subdirectories names in a directory to a system on the network. Here's the case: Source... (1 Reply)
Discussion started by: firefox211
1 Replies

7. Programming

Problem in static structure array in C

Hi, I have a following problem in C. I have a function A in which I used to call another function (function B) and pass an array of values through array variable by using below:- foo=functionB(array); In functionB, i used to just return some "values" (e.g return num;) in order to pass... (1 Reply)
Discussion started by: ahjiefreak
1 Replies

8. Shell Programming and Scripting

Bash script to process file without regard for case

Hello, I have a Bash script that processes a text file so that the existing file will look something like this: /www/repository/2010/201002231329532/LTLO_0407.pdf /www/repository/2010/201002231329532/LTLO_0507.pdf /www/repository/2010/201002231329532/LTLO_0607.pdf... (1 Reply)
Discussion started by: manouche
1 Replies

9. UNIX for Dummies Questions & Answers

Best way of System Logging and Auditing?

As part of server hardening process i would like to know the Best way of System Logging and Auditing. Following point should be taken into consideration. Logging of critical events Logging access to critical accounts Secure storage and availability of logs Review of logs Security of logs (4 Replies)
Discussion started by: pinga123
4 Replies

LEARN ABOUT OSX

login

LOGIN(1)						    BSD General Commands Manual 						  LOGIN(1)

NAME

     login -- log into the computer

SYNOPSIS

     login [-pq] [-h hostname] [user]
     login -f [-lpq] [-h hostname] [user [prog [args...]]]

DESCRIPTION

     The login utility logs users (and pseudo-users) into the computer system.

     If no user is specified, or if a user is specified and authentication of the user fails, login prompts for a user name.  Authentication of
     users is configurable via pam(8).	Password authentication is the default.

     The following options are available:

     -f      When a user name is specified, this option indicates that proper authentication has already been done and that no password need be
	     requested.  This option may only be used by the super-user or when an already logged in user is logging in as themselves.

	     With the -f option, an alternate program (and any arguments) may be run instead of the user's default shell.  The program and argu-
	     ments follows the user name.

     -h      Specify the host from which the connection was received.  It is used by various daemons such as telnetd(8).  This option may only be
	     used by the super-user.

     -l      Tells the program executed by login that this is not a login session (by convention, a login session is signalled to the program with
	     a hyphen as the first character of argv[0]; this option disables that), and prevents it from chdir(2)ing to the user's home direc-
	     tory.  The default is to add the hyphen (this is a login session).

     -p      By default, login discards any previous environment.  The -p option disables this behavior.

     -q      This forces quiet logins, as if a .hushlogin is present.

     If the file /etc/nologin exists, login dislays its contents to the user and exits.  This is used by shutdown(8) to prevent users from logging
     in when the system is about to go down.

     Immediately after logging a user in, login displays the system copyright notice, the date and time the user last logged in, the message of
     the day as well as other information.  If the file .hushlogin exists in the user's home directory, all of these messages are suppressed.  -q
     is specified, all of these messages are suppressed.  This is to simplify logins for non-human users, such as uucp(1).  login then records an
     entry in utmpx(5) and the like, and executes the user's command interpreter (or the program specified on the command line if -f is speci-
     fied).

     The login utility enters information into the environment (see environ(7)) specifying the user's home directory (HOME), command interpreter
     (SHELL), search path (PATH), terminal type (TERM) and user name (both LOGNAME and USER).

     Some shells may provide a builtin login command which is similar or identical to this utility.  Consult the builtin(1) manual page.

     The login utility will submit an audit record when login succeeds or fails.  Failure to determine the current auditing state will result in
     an error exit from login.

FILES

     /etc/motd		message-of-the-day
     /etc/nologin	disallows logins
     /var/run/utmpx	current logins
     /var/mail/user	system mailboxes
     .hushlogin 	makes login quieter
     /etc/pam.d/login	pam(8) configuration file
     /etc/security/audit_user
			user flags for auditing
     /etc/security/audit_control
			global flags for auditing

SEE ALSO

     builtin(1), chpass(1), newgrp(1), passwd(1), rlogin(1), getpass(3), utmpx(5), environ(7)

HISTORY

     A login utility appeared in Version 6 AT&T UNIX.

BSD
								September 13, 2006							       BSD
All times are GMT -4. The time now is 05:26 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy