How can I audit Ip adresses of users logging into system?

Question

I have a group of servers which use Kerberos for authentication. We distribute keytabs to users but want to ensure that a user never pass their keytab to someone else. Essentially we need to audit the Ip's of users logging into our system. If the Ip doesn't seem to belong to our domain we want to know about it. What can I do? I'm a bit of a noon. Can this be done using auditd? Thanks!

score 0 · Answer 1 · answered Jun 24 '15 at 15:52

0

You can use the command "last" which will show users who logged into the server, ip address, and date.

http://linux.die.net/man/1/last

answered Jun 24 '15 at 15:52

chrisw9808

309
1
5

score 0 · Accepted Answer · answered Jun 24 '15 at 15:59

auditd to the rescue:

ausearch -m USER_AUTH

yields (among others):

type=USER_AUTH msg=audit(1435161396.088:342): pid=17550 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="root" exe="/usr/sbin/sshd" hostname=? addr=10.0.0.x terminal=ssh res=success

How can I audit Ip adresses of users logging into system?

2 Answers2