Hi everyone,
7.3.1 patch 4
We were in the midst of deploying some rules to one of our customer environments based on password criteria (brute force, password guessing, etc.) and noticed that from Unix log sources (in this case ESXI servers) there is no traditional "Authentication success" message in the /var/log/auth for, in this case, SSH authentication. The "Authentication failure" message appears, but for success there is just a "session opened".
sshd_config looks pretty typical. Log level is INFO.
A login failure followed-by success example looks like this:
Login sucessful:
Jul 7 10:51:24 srbarriga su(pam_unix)[14592]: session opened for user test2 by (uid=10101)
Jul 7 10:52:14 srbarriga sshd(pam_unix)[17365]: session opened for user test by (uid=508)
Nov 17 21:41:22 localhost su[8060]: (pam_unix) session opened for user root by (uid=0)
Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4
Is there any way to get a traditional success? Otherwise the best course of action seems to be to create separate rules for these servers because of the different logic that will be required.
Thanks,
Nathan
------------------------------
Nathan
------------------------------