[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: AIX 5.3 sshd logins and sudo

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: AIX 5.3 sshd logins and sudo
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Wed, 10 Oct 2007 19:44:51 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 66.249.82.230 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Content-transfer-encoding: quoted-printable
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=PI18hS25maZD7/xBlRXf556c6P3kURH+3d1sVOytOfc=; b=JF3MCGQcM0oCf68wNmTVBrIP2XGDhQ3EyjJuyDdU9w8FjQ4HRFWHr99DsZEqcoaPWiteWfMu3QClMc+n02KhSRtCE1ILgOCrI5Zjla8CjSsYziIqdNdmLyTUuDVGQNO1RqTeFPgg/EffUBVayR2idIp9mr4aAJB7GbZKIHQb55o=

Hi Carlos,

OSSEC already has parsers for these logs, but they are coming in a non
standard syslog format.

We expect:
Oct  9 09:50:40 MACHINE sshd[229596]: Accepted password for USER from
172.29.14.41 port 55839 ssh2

While you have:
Oct  9 09:50:40 MACHINE auth|security:info sshd[229596]: Accepted
password for USER from 172.29.14.41 port 55839 ssh2


Is this something special to your AIX config? Can you change it to the
standard format?
Any other AIX user in here with more information on this?

Thanks,


--
Daniel B. Cid
dcid ( at ) ossec.net


On 10/9/07, Carlos Eduardo Pedroza Santiviago <segfault@xxxxxxxxxxxxxxx> wrote:
> Hi,
>
> Below is an output of my sshd logins, its currently an AIX 5.3:
>
> Oct  9 09:50:40 MACHINE auth|security:info sshd[229596]: Accepted
> password for USER from 172.29.14.41 port 55839 ssh2
>
> After that, i issue a "sudo su", and then it gets logged as:
>
> Oct  9 09:50:41 MACHINE auth|security:notice sudo:  USER : TTY=pts/22
> ; PWD=/home/USER ; USER=root ; COMMAND=/usr/bin/su
> Oct  9 09:50:41 MACHINE auth|security:notice su: from root to root at
> /dev/pts/22
>
> Could this be added as a standard rule or should i create a customized
> version here?
>
> More information about the system:
>
> (MACHINE:/var/log)$ uname -a
> AIX MACHINE 3 5 00C3541E4C00
> (MACHINE:/var/log)$ oslevel -r
> 5300-04
>
> thank you,
> --
> Carlos Eduardo Pedroza Santiviago
> http://softwarelivre.net | Passo-a-passo rumo à liberdade!
>

Follow-Ups:
- [ossec-list] Re: AIX 5.3 sshd logins and sudo
  - From: Nerijus Krukauskas

References:
- [ossec-list] AIX 5.3 sshd logins and sudo
  - From: Carlos Eduardo Pedroza Santiviago

Prev by Date: [ossec-list] Re: alert_new_files problem
Next by Date: [ossec-list] Whitelist - Reverse Lookups
Previous by thread: [ossec-list] Re: AIX 5.3 sshd logins and sudo
Next by thread: [ossec-list] Re: AIX 5.3 sshd logins and sudo
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.