Re: [Fed-Talk] Security Issue: ssh and bsm
Re: [Fed-Talk] Security Issue: ssh and bsm
- Subject: Re: [Fed-Talk] Security Issue: ssh and bsm
- From: Todd Heberlein <email@hidden>
- Date: Mon, 8 Oct 2007 18:01:22 -0700
Michael and Shawn,
I found another bug involving ssh, this one with praudit. I'll send a
report to bugreport, but I though I would mention it here in case
someone runs across this.
praudit does not properly print the OpenSSH login audit record; I
think the problem is that it cannot parse the first token after the
header, the AU_SUBJECT_32_EX_TOKEN. For example, the output looks
something like this:
...
header,111,1,OpenSSH login,0,Mon Oct 8 13:36:42 2007, + 813 msec
header,180,1,getattrlist(),0,Mon Oct 8 13:36:45 2007, + 308 msec
...
That is, the header token for "OpenSSH login" is followed immediately
by the header of the next audit record. I went through and parsed out
the binary data, and it should print out the following tokens:
header
subject32ex
text
return
trailer
This is somewhat problematic because the "text token" identifies the
account and whether it was successful or not. Seems important.
Todd
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden