[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses
The following reply was made to PR bin/42540; it has been noted by GNATS.
From: David Holland <dholland-bugs%netbsd.org@localhost>
Subject: Re: bin/42540: /usr/bin/login does not log normal logins, does not
log IP addresses
Date: Wed, 30 Dec 2009 22:07:06 +0000
On Tue, Dec 29, 2009 at 04:50:06PM +0000, Ed Ravin wrote:
>> Now that I looked more into it, it will use getpeername(2) to fill in
>> the address in wtmpx. Isn't that good enough? (looking through the wtmpx
> It's nowhere near as good as syslog for audit trails - syslogs can be
> sent immediately to another host for safekeeping, while wtmp is stored
> locally and is the first thing that gets zapped after a successful
> break-in. Also, once it's in syslog, it can be tracked by a whole bunch
> of automated tools (for people doing security auditing, IDS, etc.).
> All the more recently written programs that do authentication, like ftpd
> and sshd, generate syslog messages for logins.
While this is all true, wtmp (and also /var/account/acct) is part of
the system's overall log information, and in the long run it'd
probably be better to be able to ship it around as well.
Either that or we should take the plunge and kill off wtmp entirely in
favor of sending that information through syslog... although that has
David A. Holland
Main Index |
Thread Index |