[Fed-Talk] BSM Audit of failed logins
[Fed-Talk] BSM Audit of failed logins
- Subject: [Fed-Talk] BSM Audit of failed logins
- From: Todd Heberlein <email@hidden>
- Date: Wed, 2 May 2007 17:13:02 -0700
For anyone running Apple's BSM audit trails (available through the
Common Criteria package), I have some questions...
If someone tries to login at the console using a username which does
*not* exist on the system, there doesn't seem to be any audit record
generated. For example, if I fail to login with usernames which
*are* on the system (e.g., "heberlei" or "root"), then "user
authentication" and "SecSrvr authinternal mech" audit records are
generated
However... If I try to login as user "bush" which does *not* exist on
my system, the audit trail is completely silent. This feels wrong to
me.
Has anyone else tried to monitor failed console logins for non-
existent users observed this?
Is this standard BSM behavior for other platforms?
Thanks,
Todd
PS. The audit flags I am running are:
flags:all
naflags:lo
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden