Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses

[David Holland <dholland-bugs%netbsd.org@localhost>]

The following reply was made to PR bin/42540; it has been noted by GNATS.

From: David Holland <dholland-bugs%netbsd.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: eravin%panix.com@localhost
Subject: Re: bin/42540: /usr/bin/login does not log normal logins, does not
        log IP addresses
Date: Wed, 30 Dec 2009 22:07:06 +0000

 On Tue, Dec 29, 2009 at 04:50:06PM +0000, Ed Ravin wrote:
  >>  Now that I looked more into it, it will use getpeername(2) to fill in
  >>  the address in wtmpx. Isn't that good enough? (looking through the wtmpx
  >>  records?)
  >  
  >  It's nowhere near as good as syslog for audit trails - syslogs can be
  >  sent immediately to another host for safekeeping, while wtmp is stored
  >  locally and is the first thing that gets zapped after a successful
  >  break-in.  Also, once it's in syslog, it can be tracked by a whole bunch
  >  of automated tools (for people doing security auditing, IDS, etc.).
  >  
  >  All the more recently written programs that do authentication, like ftpd
  >  and sshd, generate syslog messages for logins.
 
 While this is all true, wtmp (and also /var/account/acct) is part of
 the system's overall log information, and in the long run it'd
 probably be better to be able to ship it around as well.
 
 Either that or we should take the plunge and kill off wtmp entirely in
 favor of sending that information through syslog... although that has
 other issues...
 
 -- 
 David A. Holland
 dholland%netbsd.org@localhost