NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses

On Tue, Dec 29, 2009 at 03:50:04PM +0000, Christos Zoulas wrote:
>  | Yes, because it is only being passed in the hostname; it does not
>  | lookup anything. Even the hostname passed can be bogus (although
>  | one presumes that the daemon that forks login is trusted).
>  | 
>  | So your desired behavior is to use getpeername(2) to determine if
>  | the login is remote and always syslog(LOG_INFO the infomation?
>  Now that I looked more into it, it will use getpeername(2) to fill in
>  the address in wtmpx. Isn't that good enough? (looking through the wtmpx
>  records?)

It's nowhere near as good as syslog for audit trails - syslogs can be
sent immediately to another host for safekeeping, while wtmp is stored
locally and is the first thing that gets zapped after a successful
break-in.  Also, once it's in syslog, it can be tracked by a whole bunch
of automated tools (for people doing security auditing, IDS, etc.).

All the more recently written programs that do authentication, like ftpd
and sshd, generate syslog messages for logins.

        -- Ed

Home | Main Index | Thread Index | Old Index