http://people.redhat.com/sgrubb/audit/audit_ids_2011.pdf
Purpose
ESXi maintains a history of all commands entered in the ESXi Shell. This shell command history is maintained in theshell.log file. Within the transcription of commands, the command issuer is identified only by the process or world ID, rather than by username or client address. This article describes how to correlate authentication information from theauth.log file with the history of commands executed in the ESXi Shell.
For more information on the locations of the log files described, see Location of ESXi 5.0 log files (2004201) andLocation of log files for VMware products (1021806).
Resolution
To determine the commands executed in the ESXi Shell, and which user and client issued the request:
- Obtain access to the
auth.logandshell.loglog files.
- Log in to the ESXi Shell, and open each log using the
lesscommand.
- Use a web browser to access
https://ESXiHostnameOrIP/host/auth.logandhttps://ESXiHostnameOrIP/host/shell.log. - Use the
vifscommand line utility in the vCLI to copy the logs to a client, and review them there.
- Read the files from within a
vm-supportlog bundle.
- Log in to the ESXi Shell, and open each log using the
- Open the log file
/var/log/auth.login a text viewer.
- Identify the authentication record, including the Username, Timestamp, and World ID for the session:
- ESXi Shell login at the console appears similar to:
2011-08-29T18:01:00Z login[64386]:root login on 'char/tty/1'
- ESXi Shell login via interactive SSH appears similar to:
2011-08-29T18:01:00Z sshd[12345]: Connection from10.11.12.13 port 26052011-08-29T18:01:00Z sshd[12345]:Accepted keyboard-interactive/pam for root from 10.11.12.13 port 2605 ssh22011-08-29T18:01:00Zsshd[64386]: Session opened for 'root' on /dev/char/pty/t02011-08-29T18:01:00Zsshd[12345]: Session closed for 'root' on /dev/char/pty/t0
...
2011-08-29T18:35:05Z sshd[12345]: Session closed for 'root' 2
- ESXi Shell login via SSH with public key appears similar to:
2011-08-29T18:01:00Z sshd[12345]: Connection from10.11.12.13 port 26052011-08-29T18:01:00Z sshd[12345]:Accepted publickey for root from 10.11.12.13 port 2605 ssh22011-08-29T18:01:00Zsshd[64386]: Session opened for 'root' on /dev/char/pty/t02011-08-29T18:01:00Zsshd[12345]: Session closed for 'root' on /dev/char/pty/t0
...
2011-08-29T18:35:05Z sshd[12345]: Session closed for 'root' 2
Each of these authentication records indicate a successful authentication for the userrooton August 29th at 18:01 GMT. The SSH methods also include the IP address tha the connection was initated from. The shell session is being handled by world64386.
- ESXi Shell login at the console appears similar to:
- Close the log file
/var/log/auth.log.
- Open the log file
/var/log/shell.login a text editor or viewer.
- Identify commands entered which contain the same World ID as identified in Step 3, appearing similar to:
2011-08-29T18:01:01Zshell[64386]: Interactive shell session started2011-08-29T18:05:02Zshell[64386]: cd /var/log2011-08-29T18:05:03Zshell[64386]: ls2011-08-29T18:13:04Zshell[64386]: vmware -v2011-08-29T18:35:05Zshell[64386]: exit
Since the commands were entered in the console session handled by world ID64386, we know that they correspond to the authentication session established by userrootas described in Step 3.
