Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses

[Ed Ravin <eravin%panix.com@localhost>]

The following reply was made to PR bin/42540; it has been noted by GNATS.

From: Ed Ravin <eravin%panix.com@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost, 
eravin%panix.com@localhost
Subject: Re: bin/42540: /usr/bin/login does not log normal logins, does not
        log IP addresses
Date: Tue, 29 Dec 2009 11:47:37 -0500

 On Tue, Dec 29, 2009 at 03:50:04PM +0000, Christos Zoulas wrote:
 >  | Yes, because it is only being passed in the hostname; it does not
 >  | lookup anything. Even the hostname passed can be bogus (although
 >  | one presumes that the daemon that forks login is trusted).
 >  | 
 >  | So your desired behavior is to use getpeername(2) to determine if
 >  | the login is remote and always syslog(LOG_INFO the infomation?
 >  
 >  Now that I looked more into it, it will use getpeername(2) to fill in
 >  the address in wtmpx. Isn't that good enough? (looking through the wtmpx
 >  records?)
 
 It's nowhere near as good as syslog for audit trails - syslogs can be
 sent immediately to another host for safekeeping, while wtmp is stored
 locally and is the first thing that gets zapped after a successful
 break-in.  Also, once it's in syslog, it can be tracked by a whole bunch
 of automated tools (for people doing security auditing, IDS, etc.).
 
 All the more recently written programs that do authentication, like ftpd
 and sshd, generate syslog messages for logins.
 
        -- Ed