[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: AIX 5.3 sshd logins and sudo

To: ossec-list@xxxxxxxxx
Subject: [ossec-list] Re: AIX 5.3 sshd logins and sudo
From: "Carlos Eduardo Pedroza Santiviago" <segfault@xxxxxxxxxxxxxxx>
Date: Tue, 9 Oct 2007 10:00:38 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of segfault@xxxxxxxxx does not designate 64.233.182.187 as permitted sender) smtp.mail=ossec-list+caf_=ossec-list=googlegroups.com@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Authentication-results: mx.google.com; spf=pass (google.com: domain of segfault@xxxxxxxxx designates 209.85.198.190 as permitted sender) smtp.mail=segfault@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Content-transfer-encoding: base64
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=j672pXQihOPGr1rZsFOe2sU0EQwDL+diZypitiKnH/k=; b=X0xECp0Tch0m5I0gNmnBR4CqbgZZMFcz01ps+Yx8REuPmzwK2GIw/md333fVEFeeiTg7ADxzAI4fUG5M/2cm1OB9D5jxcq+dSSDUd0WyeR9gXn7RikG0Yai3ctkYTn/Sz8O6FJGEzOXGBL9JEbIGDH3ajn81H5f4TuluOdHRM5I=

Hi,

On 10/9/07, Carlos Eduardo Pedroza Santiviago <segfault@xxxxxxxxxxxxxxx> wrote:
> Hi,
>
> Below is an output of my sshd logins, its currently an AIX 5.3:
>
> Oct  9 09:50:40 MACHINE auth|security:info sshd[229596]: Accepted
> password for USER from 172.29.14.41 port 55839 ssh2
>
> After that, i issue a "sudo su", and then it gets logged as:
>
> Oct  9 09:50:41 MACHINE auth|security:notice sudo:  USER : TTY=pts/22
> ; PWD=/home/USER ; USER=root ; COMMAND=/usr/bin/su
> Oct  9 09:50:41 MACHINE auth|security:notice su: from root to root at
> /dev/pts/22
>
> Could this be added as a standard rule or should i create a customized
> version here?
>
> More information about the system:
>
> (MACHINE:/var/log)$ uname -a
> AIX MACHINE 3 5 00C3541E4C00
> (MACHINE:/var/log)$ oslevel -r
> 5300-04
>

Sorry, i forgot to mention that OSSEC console currently doesn't log
anything about the successful login. It only reports when there is a
failed login, like this one:

** Alert 1191934768.3291914: - syslog,access_control,authentication_failed,
2007 Oct 09 09:59:28 (MACHINE) 172.17.30.44->/var/log/auth.log
Rule: 2501 (level 5) -> 'User authentication failure.'
Src IP: (none)
User: (none)
Oct  9 09:59:27 MACHINE auth|security:info syslog: ssh: failed login
attempt for UNKNOWN_USER from 172.29.14.41

thank you,
-- 
Carlos Eduardo Pedroza Santiviago
http://softwarelivre.net | Passo-a-passo rumo à liberdade!

References:
- [ossec-list] AIX 5.3 sshd logins and sudo
  - From: Carlos Eduardo Pedroza Santiviago

Prev by Date: [ossec-list] AIX 5.3 sshd logins and sudo
Next by Date: [ossec-list] alert_new_files problem
Previous by thread: [ossec-list] AIX 5.3 sshd logins and sudo
Next by thread: [ossec-list] Re: AIX 5.3 sshd logins and sudo
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.