- 论坛徽章:
- 0
|
测试后,个人认为下面这个方法比较好
1. Add the login/logout flag to the /etc/security/audit_control
as follows (- means track only unsuccessful attempts):
flags:-lo
See the audit_control(4) manpage for more details.
2. Run /etc/security/bsmconv
See the bsmconv(1M) manpage for more details.
3. Reboot.
4. To view the logs run the command:
# auditreduce|praudit
See the praudit(1M) and auditreduce(1M) manpages for more details.
设置成功后,可以查到dtlogin登录de信息了
# auditreduce|praudit
file,Thu May 14 07:50:13 GMT 2009, + 0 msec,
header,44,2,system booted,na,Thu May 14 07:50:13 GMT 2009, + 594 msec
text,booting kernel
header,86,2,su,,Thu May 14 07:55:31 GMT 2009, + 658 msec
subject,omcadmin,root,omc,omcadmin,omc,2257,610,574 65559 10.225.9.9
text,success for user root
return,success,0
header,81,2,login - local,,Thu May 14 07:59:34 GMT 2009, + 900 msec
subject,omcadmin,omcadmin,omc,omcadmin,omc,2338,2338,0 0 somcsys4
text,invalid password
return,failure: Interrupted system call,-1
header,82,2,login - telnet,,Thu May 14 08:00:58 GMT 2009, + 887 msec
subject,-1,-1,-1,-1,-1,2738,2738,24 2 10.225.9.9
text,invalid user name
return,failure: No such process,-1
header,81,2,login - telnet,,Thu May 14 08:01:33 GMT 2009, + 691 msec
subject,asaadmin,asaadmin,omc,asaadmin,omc,2966,2966,24 2 10.225.9.9
text,invalid password
return,failure: Interrupted system call,-1
header,81,2,login - local,,Thu May 14 08:26:41 GMT 2009, + 32 msec
subject,omcread,omcread,omcread,omcread,omcread,2338,2338,0 0 somcsys4
text,invalid password
return,failure: Interrupted system call,-1
file,Thu May 14 08:26:41 GMT 2009, + 0 msec,
# |
|