Auditing

Notification
Customizing Logging
Auditing with Solaris BSM

Tectia Server logs events in the syslog on Unix and in the Windows Event Log on Windows. Logging (auditing) is very important for security. You should check your logs often, or use tools to analyze them. From the logs, you can see, for example, whether unauthorized access has been attempted, and take further action if needed. For example, you could set the hosts from which the attempts have been made as denied, or drop the packets from the domain completely at your firewall. The logs also provide troubleshooting information.

The log events are classified in seven levels, in decreasing order of importance:

Security failure (Windows only): A user tried to log on but failed.
Security success (Windows only): A user logged successfully on.
Critical (Unix only): A critical problem has occurred. By default, this is not used by Tectia Server.
Error: A serious problem has occurred, preventing the intended operation from completing successfully.
Warning: A problem has occurred, but the operation can continue.
Notice (Unix only): An action has been done.
Informational: Extra troubleshooting information.

Notification

It is recommended to notify the users before they decide to log in that their actions are logged. In some jurisdictions this is required.

To display, for example, the following text to the users before login, you can define a banner-message element in the ssh-server-config.xml file or with the Tectia Server Configuration tool. See the section called “The authentication-methods Block” or General for more information.

Unauthorized use of this system is prohibited.
All actions are logged.

Customizing Logging

Tectia Server allows customizing the severity and facility of different logging events. The events have reasonable default values, which are used if no explicit logging settings are made.

The logging settings are made in the logging element of the ssh-server-config.xml file or with the Tectia Server Configuration tool. See the section called “The params Block” or Logging for more information.

The default logging settings of Tectia Server in the ssh-server-config-default.xml file are shown below:

<logging>
  <log-events facility="auth" severity="informational">
    Auth_method_success Auth_method_failure Auth_methods_completed
    Auth_methods_available Hostbased_auth_warning
    Publickey_auth_warning Publickey_auth_success GSSAPI_auth_warning
    Keyboard_interactive_pam_auth_warning
    Keyboard_interactive_radius_auth_warning
    Keyboard_interactive_securid_auth_warning
    GSSAPI_auth_success
    Keyboard_interactive_pam_auth_success
    Keyboard_interactive_radius_auth_success
    Keyboard_interactive_password_auth_success
    Keyboard_interactive_securid_auth_success
  </log-events>
  <log-events facility="auth" severity="warning">
    Hostbased_auth_error Publickey_auth_error GSSAPI_auth_error
    Keyboard_interactive_pam_auth_error
    Keyboard_interactive_radius_auth_error
    Keyboard_interactive_password_auth_error
    Keyboard_interactive_securid_auth_error
  </log-events>
  <log-events facility="daemon" severity="error">
    Server_start_failed
  </log-events>
  <log-events facility="daemon" severity="notice">
    Server_listener_failed Server_listener_started
    Server_listener_stopped Server_reconfig_finished
    Server_reconfig_started Server_stopping Server_running
    Server_starting
  </log-events>
  <log-events facility="daemon" severity="warning">
    Servant_exited Servant_error
  </log-events>
  <log-events facility="normal" severity="informational">
    Algorithm_negotiation_success Certificate_validation_success
    Certificate_validation_failure Key_store_create
    Key_store_destroy Key_store_add_provider Key_store_decrypt
    Key_store_sign Key_store_sign_digest Logout Disconnect
    Channel_open_failure Session_channel_open
    Session_channel_close Forwarding_channel_open
    Forwarding_channel_open Forwarding_channel_close
    Forwarding_listener_open Forwarding_listener_close
    Auth_listener_open Auth_listener_close Auth_channel_open
    Auth_channel_close
  </log-events>
  <log-events facility="normal" severity="security-failure">
    Connection_denied Login_failure
  </log-events>
  <log-events facility="normal" severity="security-success">
    Connect Login_success
  </log-events>
  <log-events facility="normal" severity="warning">
    Algorithm_negotiation_failure KEX_failure
    Key_store_create_failed Key_store_add_provider_failed
    Key_store_decrypt_failed Key_store_sign_failed
    Key_store_sign_digest_failed
  </log-events>
</logging>

For a description of the log events, see Appendix D.

Auditing with Solaris BSM

On Solaris platforms, Basic Security Module (BSM) can be used to audit Secure Shell log-in (both failed and successful) and log-out events.

The log-in events are audited with the event ID 34543 (AUE_tectia) and the log-outs with event ID AUE_logout.

When auditing AUE_tectia events, add the following line to /etc/security/audit_event:

34543:AUE_tectia:login - ssh:lo

To prevent clashes with other BSM-aware third-party applications, you can change the AUE_tectia event ID to a unique one by exporting the environment variable SSH_BSM_AUDIT_EVENT_ID=<event_id> before you start Tectia Server.