Question : How to make Solaris BSM to capture OpenSSH activities?

This is the known interoperability problem between OpenSSH and BSM. I did some reasearch on net, but they for Solaris 8 and OpenSSH 3.5.1.

I am working on the Solaris 10 with OpenSSH 4.6.1. I want get help from experts to give me the complete solutions how to make it work. Does it still need a OpenSSH patch? Do both BSM and OpenSSH need to be configured?

So far I have tried the following configuration setting...

BSM side:
/etc/security/audit_event:

9202:AUE_openssh:login - ssh:lo,at1

(9202 is the event id, not confident it is right as I just added 1 based on the last event definition line in the original file)

/etc/security/audit_record_attr:
label=AUE_openssh
  program=/usr/local/sbin/sshd
  format=[text]1
    comment=error message

OpenSSH side:
UsePrivilegeSeparation no (default is yes)
UseLogin=yes

The encouraging news is that the SSH login/logout sessions could be captured in BSM audit data file, but it is wired that they are tagged as telnet.

header,32,2,login - telnet,,dummy_machine,2009-01-21 12:55:56.833 -05:00,return,success,0
header,32,2,logout,,dummy_machine,2009-01-21 12:56:08.763 -05:00,return,success,0

Answer : How to make Solaris BSM to capture OpenSSH activities?

Have a look at the following doc:

http://lists.mindrot.org/pipermail/openssh-unix-dev/2003-January/016430.html

otherwise you can create an login file and use syslog to log the ssh login infor to a file, here're the procedures I wrote long time ago:

   To log all the ssh login infor:
     edit sshd_config file, to set these directives:
 
     #obsoletes QuietMode and FascistLogging
      SyslogFacility AUTH
      LogLevel INFO
       
     We can increase your logging level with "DEBUG" in Loglevel directive.
      # debug mode will generate a large log file, INFO is good enough for us.

      Create a specific ssh logfile:
       touch /var/adm/sshlog
       chgrp sys /var/adm/sshlog

      Edit /etc/syslog.conf file , to add this entry:
       
     auth.debug /var/adm/sshlog     # Must space

      # log ssh connnetions add by Greg Yu, 7/7/2006
     #auth.debug      /var/adm/sshlog
     auth.info       /var/adm/sshlog

       
      Stop e restart syslog service.
      /etc/rc2.d/S74syslog stop
     /etc/rc2.d/S74syslog start
     
      Check your new logfile /var/adm/sshlog