[Fed-Talk] RE: BSM Audit of failed logins (Todd Heberlein)
[Fed-Talk] RE: BSM Audit of failed logins (Todd Heberlein)
- Subject: [Fed-Talk] RE: BSM Audit of failed logins (Todd Heberlein)
- From: "Beck, Keith M LCDR CNO-OPNAV" <email@hidden>
- Date: Thu, 3 May 2007 16:34:10 -0400
- Thread-topic: BSM Audit of failed logins (Todd Heberlein)
This is the desired behavior. Many users who might not be looking while
typing enter their password in the user name field and submit it.
Logging user names for non-existent users makes your logs valuable
penetration tools.
Keith Beck
-----Original Message-----
Message: 1
Date: Wed, 2 May 2007 17:13:02 -0700
From: Todd Heberlein <email@hidden>
Subject: [Fed-Talk] BSM Audit of failed logins
To: FedTalk List <email@hidden>
Message-ID: <email@hidden>
For anyone running Apple's BSM audit trails (available through the
Common Criteria package), I have some questions...
If someone tries to login at the console using a username which does
*not* exist on the system, there doesn't seem to be any audit record
generated. For example, if I fail to login with usernames which
*are* on the system (e.g., "heberlei" or "root"), then "user
authentication" and "SecSrvr authinternal mech" audit records are
generated
However... If I try to login as user "bush" which does *not* exist on my
system, the audit trail is completely silent. This feels wrong to me.
Has anyone else tried to monitor failed console logins for non- existent
users observed this?
Is this standard BSM behavior for other platforms?
Thanks,
Todd
PS. The audit flags I am running are:
flags:all
naflags:lo
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden