AIX sends just unsuccessful logins into syslog and successful logins like terminal login are missing (e.g. virtual console). For solution read more...
Solution:
AIX contains a bug, which causes that AIX doesn't send successful log in event to syslog deamon.
It shall be repaired in AIX 6.1 TL06 SP08.
APAR describing the problem:
APAR IV03635 SYSLOG SUPPORT FOR SUCCESSFUL LOGIN
http://www-01.ibm.com/support/docview.wss?rs=1209&context=SG11Q&dc=DB550&q1=IV03635&uid=isg1IV03635&loc=en_US&cs=UTF-8&lang=en
Workaround:
Use audit sybsystem - auditstream via command customization with selection of event
and piping to logger:
Enable stream mode in
/etc/security/audit/config
start:
streammode = on
stream:
cmds = /etc/security/audit/streamcmds
.... NOTE: If you are using stream mode for common auditing on AIX already then you can use tee command to split output to output file and continue with pipe to send it to logger, but you will send all audit events to syslog.
Customize audit stream command:
/etc/security/audit/streamcmds
auditstream | auditselect -e "event == USER_Login && command == getty" | auditpr -t0 -helrRpPtc | logger -p auth.info &
Restart audit:
audit shutdown && audit start
Audit then runs on the background:
# ps -ef | grep audit
root 10485906 15073324 0 12:15:28 - 0:00 auditpr -t0 -helrRpPtc
root 11599888 15073324 0 12:15:28 - 0:00 auditselect -e event == USER_Login && command == getty
root 14680288 15073324 0 12:15:28 - 0:00 auditstream
root 16056534 1 0 12:15:28 - 0:00 auditbin
Try to log in onto virtual terminal through HMC
e.g. vtmenu
And you can see event in syslog:
Nov 1 12:15:43 hostname auth|security:info username: USER_Login root root OK 4784310 1 Tue Nov 01 12:15:43 2011 getty
No comments:
Post a Comment