Solaris Audit Support
The Solaris operating environment supports auditing of system events, such as file access, process operations and network activity. With auditing enabled, the system provides an audit trail of selected events in the form of a log file, which can be monitored to detect unauthorized use of the system. Auditing in the Solaris operating environment is provided by the Basic Security Module (BSM). Refer to the Solaris documentation for information about configuring BSM.
To generate audit records for Secure Shell connections
To view the audit log
The audit entry for the Secure Shell login/logout events tells which user attempted to log in or out, from which host, and whether the connection succeeded or not.
An entry for a user ‘joe’, logging on from host sphinx.company.com:
header,94,2,login - ssh,,Tue May 13 10:49:44 2010, + 863 msec
subject,joe,joe,other,joe,other,7763,7763,0 2805 sphinx.company.com
text,sshd login joe on /dev/pts/4
In this case, the user successfully logged on to the system, and was given a Secure Shell terminal session on /dev/pts/4.
For Secure Shell logins not requiring a terminal session, such as remote commands or file transfers with scp or sftp, the terminal or tty number is replaced by the command the server executes on behalf of the user. For example:
header,116,2,login - ssh,,Tue May 13 10:49:58 2010, + 361 msec
subject,joe,joe,other,joe,other,7774,7774,0 2806 sphinx.company.com
text,sshd login joe on (no tty)
text,remote command: sftp
An example of a failed login attempt:
header,81,2,AUE_ssh,,Tue May 13 11:22:51 2003, + 462 msec
subject,joe,joe,other,joe,other,8006,8006,0 0 sphinx.company.com
return,failure: Interrupted system call,-1