Tuesday, November 1, 2011

Successful logins on terminal to syslog on AIX

Problem description:
AIX sends just unsuccessful logins into syslog and successful logins like terminal login are missing (e.g. virtual console). For solution read more...

Solution:
AIX contains a bug, which causes that AIX doesn't send successful log in event to syslog deamon.
It shall be repaired in AIX 6.1 TL06 SP08.

APAR describing the problem:
APAR IV03635 SYSLOG SUPPORT FOR SUCCESSFUL LOGIN
http://www-01.ibm.com/support/docview.wss?rs=1209&context=SG11Q&dc=DB550&q1=IV03635&uid=isg1IV03635&loc=en_US&cs=UTF-8&lang=en

Workaround:
Use audit sybsystem - auditstream via command customization with selection of event
and piping to logger:

Enable stream mode in
/etc/security/audit/config
start:
        streammode = on
stream:
        cmds = /etc/security/audit/streamcmds
....

NOTE: If you are using stream mode for common auditing on AIX already then you can use tee command to split output to output file and continue with pipe to send it to logger, but you will send all audit events to syslog.

Customize audit stream command:
/etc/security/audit/streamcmds
auditstream | auditselect -e "event == USER_Login && command == getty" | auditpr -t0 -helrRpPtc | logger -p auth.info &

Restart audit:
audit shutdown && audit start

Audit then runs on the background:
# ps -ef | grep audit
    root 10485906 15073324   0 12:15:28      -  0:00 auditpr -t0 -helrRpPtc
    root 11599888 15073324   0 12:15:28      -  0:00 auditselect -e event == USER_Login && command == getty
    root 14680288 15073324   0 12:15:28      -  0:00 auditstream
    root 16056534        1   0 12:15:28      -  0:00 auditbin

Try to log in onto virtual terminal through HMC
e.g. vtmenu

And you can see event in syslog:
Nov  1 12:15:43 hostname auth|security:info username: USER_Login      root     root     OK          4784310  1        Tue Nov 01 12:15:43 2011 getty

No comments:

Post a Comment