[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses
The following reply was made to PR bin/42540; it has been noted by GNATS.
From: Ed Ravin <eravin%panix.com@localhost>
Cc: gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost,
Subject: Re: bin/42540: /usr/bin/login does not log normal logins, does not
log IP addresses
Date: Tue, 29 Dec 2009 11:47:37 -0500
On Tue, Dec 29, 2009 at 03:50:04PM +0000, Christos Zoulas wrote:
> | Yes, because it is only being passed in the hostname; it does not
> | lookup anything. Even the hostname passed can be bogus (although
> | one presumes that the daemon that forks login is trusted).
> | So your desired behavior is to use getpeername(2) to determine if
> | the login is remote and always syslog(LOG_INFO the infomation?
> Now that I looked more into it, it will use getpeername(2) to fill in
> the address in wtmpx. Isn't that good enough? (looking through the wtmpx
It's nowhere near as good as syslog for audit trails - syslogs can be
sent immediately to another host for safekeeping, while wtmp is stored
locally and is the first thing that gets zapped after a successful
break-in. Also, once it's in syslog, it can be tracked by a whole bunch
of automated tools (for people doing security auditing, IDS, etc.).
All the more recently written programs that do authentication, like ftpd
and sshd, generate syslog messages for logins.
Main Index |
Thread Index |