Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses

To: gnats-bugs%NetBSD.org@localhost
Subject: Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses
From: Ed Ravin <eravin%panix.com@localhost>
Date: Tue, 29 Dec 2009 11:47:37 -0500

On Tue, Dec 29, 2009 at 03:50:04PM +0000, Christos Zoulas wrote:
>  | Yes, because it is only being passed in the hostname; it does not
>  | lookup anything. Even the hostname passed can be bogus (although
>  | one presumes that the daemon that forks login is trusted).
>  | 
>  | So your desired behavior is to use getpeername(2) to determine if
>  | the login is remote and always syslog(LOG_INFO the infomation?
>  
>  Now that I looked more into it, it will use getpeername(2) to fill in
>  the address in wtmpx. Isn't that good enough? (looking through the wtmpx
>  records?)

It's nowhere near as good as syslog for audit trails - syslogs can be
sent immediately to another host for safekeeping, while wtmp is stored
locally and is the first thing that gets zapped after a successful
break-in.  Also, once it's in syslog, it can be tracked by a whole bunch
of automated tools (for people doing security auditing, IDS, etc.).

All the more recently written programs that do authentication, like ftpd
and sshd, generate syslog messages for logins.

        -- Ed

References:
- Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses
  - From: Christos Zoulas

Prev by Date: Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses
Next by Date: Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses
Previous by Thread: Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses
Next by Thread: Re: bin/42540: /usr/bin/login does not log normal logins, does not log IP addresses
Indexes:

Home | Main Index | Thread Index | Old Index