/*
 * Privilege Separation ACTIVE
 */

0.01: 2012-05-16 14:25:51 SystemEvent monitord SC-2-1 info monitord: sshd_new: Task started (/opt/ap/apos/sbin/sshd -D -f /etc/ssh/sshd_new_config)
0.02: 2012-05-16 14:25:51 SystemEvent monitord SC-2-1 info monitord: sshd_new_internal: Task started (/opt/ap/apos/sbin/sshd -D -f /etc/ssh/sshd_new_config_internal)
0.03: 2012-05-16 14:25:51 SecurityEvent sshd SC-2-1 info sshd[26625]: Server listening on 0.0.0.0 port 4422.
0.04: 2012-05-16 14:25:51 SecurityEvent sshd SC-2-1 info sshd[26628]: Server listening on 192.168.1.1 port 1022.
0.05: 2012-05-16 14:25:51 SecurityEvent sshd SC-2-1 info sshd[26625]: Server listening on :: port 4422.
0.06: 2012-05-16 14:25:51 SecurityEvent sshd SC-2-1 info sshd[26625]: Server listening on 0.0.0.0 port 830.
0.07: 2012-05-16 14:25:51 SecurityEvent sshd SC-2-1 info sshd[26625]: Server listening on :: port 830.
0.08: 2012-05-16 14:25:51 SecurityEvent sshd SC-2-1 info sshd[26625]: Server listening on 0.0.0.0 port 22.
0.09: 2012-05-16 14:25:51 SecurityEvent sshd SC-2-1 info sshd[26625]: Server listening on :: port 22.

/* USER ROOT (PRIVILEGED) */
1.01: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28397]: auth.c::getpwnamallow : AUTHENTICATION (UID == 0, EUID == 0): Parsing server match config options: user == 'root', host == '141.137.37.21', address == '141.137.37.21', subsystem == '(null)'
1.02: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28397]: Accepted keyboard-interactive/pam for root from 141.137.37.21 port 60492 ssh2
1.03: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28397]: sshd.c::privsep_postauth::701 : (UID == 0, EUID == 0): ENTERING PRIVSEP_POSTAUTH : subsystem == '(null)'
1.04: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28397]: session.c::session_input_channel_req::2328 : (UID == 0, EUID == 0): SESSION INPUT CHANNEL REQUEST: c->type == 10, rtype == 'simple@putty.projects.tartarus.org', subsystem == '(null)'
1.05: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28397]: session.c::session_input_channel_req::2328 : (UID == 0, EUID == 0): SESSION INPUT CHANNEL REQUEST: c->type == 10, rtype == 'subsystem', subsystem == '(null)'
1.06: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28397]: session.c::session_subsystem_req::2145 : subsystem request (UID == 0, EUID == 0): subsystem == 'sftp', options.chroot_directory == '(null)', subsytem == '(null)'
1.07: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28397]: subsystem request for sftp by user root
1.08: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28397]: subsystem request (UID == 0, EUID == 0): Parsing server match config options: user == '(null)', host == '(null)', address == '(null)', subsystem == 'sftp'
1.09: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28397]: session.c::session_subsystem_req::2188 : subsystem request for sftp by user root found at index 0: cmd == 'internal-sftp', subsystem == 'sftp'
1.10: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28397]: session.c::session_subsystem_req::2190 : subsystem request (UID == 0, EUID == 0): options.chroot_directory == '/data/opt/ap/nbi_fuse'
1.11: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28397]: session.c::do_exec::836 : (UID == 0, EUID == 0): s->ttyfd == -1, subsystem == 'sftp'
1.12: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28459]: session.c::do_exec_no_pty::526 : (UID == 0, EUID == 0): FORKED INTO the CHILD PROCESS: subsystem == 'sftp'
1.13: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28459]: session.c::do_child::1664 : ENTERING DO_CHILD: subsystem == 'sftp'
1.14: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28459]: session.c::do_child::1671 : s->authctxt->force_pwchange == 0, subsystem == 'sftp'
1.15: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28459]: session.c::do_child::1691 : options.use_login == 0, subsystem == 'sftp'
1.16: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28459]: session.c::do_child::1709 : calling 'do_setusercontext(pw)' ...: subsystem == 'sftp'
1.17: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28459]: session.c::do_setusercontext::1496 : (UID == 0, EUID == 0): I'm running with root privileged rights: subsystem == 'sftp'
1.18: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28459]: session.c::do_setusercontext::1522 : (UID == 0, EUID == 0): BEFORE calling 'platform_setusercontext_post_groups(pw)' ...: subsystem == 'sftp'
1.19: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28459]: session.c::do_setusercontext::1529 : (UID == 0, EUID == 0): AFTER called 'platform_setusercontext_post_groups(pw)': options.chroot_directory == '/data/opt/ap/nbi_fuse', subsystem == 'sftp'
1.20: 2012-05-16 14:26:28 SecurityEvent sshd SC-2-1 info sshd[28459]: session.c::do_setusercontext::1541 : (UID == 0, EUID == 0): calling 'safely_chroot(chroot_path, pw->pw_uid)' ...: subsystem == 'sftp'

/* USER CPADMIN (NOT PRIVILEGED) */
2.01: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6557]: auth.c::getpwnamallow : AUTHENTICATION (UID == 0, EUID == 0): Parsing server match config options: user == 'cpadmin', host == '141.137.37.21', address == '141.137.37.21', subsystem == '(null)'
2.02: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6557]: Accepted keyboard-interactive/pam for cpadmin from 141.137.37.21 port 60502 ssh2
2.03: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6557]: sshd.c::privsep_postauth::701 : (UID == 0, EUID == 0): ENTERING PRIVSEP_POSTAUTH : subsystem == '(null)'
2.04: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6560]: sshd.c::privsep_postauth::733 : (UID == 0, EUID == 0): PRIVSEP_POSTAUTH : Priviledged separation dropped : I'm the child process : subsystem == '(null)'
2.05: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6560]: session.c::do_setusercontext::1496 : (UID == 0, EUID == 0): I'm running with root privileged rights: subsystem == '(null)'
2.06: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6560]: session.c::do_setusercontext::1522 : (UID == 0, EUID == 0): BEFORE calling 'platform_setusercontext_post_groups(pw)' ...: subsystem == '(null)'
2.07: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6560]: session.c::do_setusercontext::1529 : (UID == 0, EUID == 0): AFTER called 'platform_setusercontext_post_groups(pw)': options.chroot_directory == '(null)', subsystem == '(null)'
2.08: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6560]: session.c::do_setusercontext::1563 : (UID == 20011, EUID == 20011): EXITING FROM 'do_setusercontext()': options.chroot_directory == '(null)', subsystem == '(null)'
2.09: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6560]: session.c::session_input_channel_req::2328 : (UID == 20011, EUID == 20011): SESSION INPUT CHANNEL REQUEST: c->type == 10, rtype == 'simple@putty.projects.tartarus.org', subsystem == '(null)'
2.10: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6560]: session.c::session_input_channel_req::2328 : (UID == 20011, EUID == 20011): SESSION INPUT CHANNEL REQUEST: c->type == 10, rtype == 'subsystem', subsystem == '(null)'
2.11: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6560]: session.c::session_subsystem_req::2145 : subsystem request (UID == 20011, EUID == 20011): subsystem == 'sftp', options.chroot_directory == '(null)', subsytem == '(null)'
2.12: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6560]: subsystem request for sftp by user cpadmin
2.13: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6560]: subsystem request (UID == 20011, EUID == 20011): Parsing server match config options: user == '(null)', host == '(null)', address == '(null)', subsystem == 'sftp'
2.14: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6560]: session.c::session_subsystem_req::2188 : subsystem request for sftp by user cpadmin found at index 0: cmd == 'internal-sftp', subsystem == 'sftp'
2.15: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6560]: session.c::session_subsystem_req::2190 : subsystem request (UID == 20011, EUID == 20011): options.chroot_directory == '/data/opt/ap/nbi_fuse'
2.16: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6560]: session.c::do_exec::836 : (UID == 20011, EUID == 20011): s->ttyfd == -1, subsystem == 'sftp'
2.17: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6561]: session.c::do_exec_no_pty::526 : (UID == 20011, EUID == 20011): FORKED INTO the CHILD PROCESS: subsystem == 'sftp'
2.18: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6561]: session.c::do_child::1664 : ENTERING DO_CHILD: subsystem == 'sftp'
2.19: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6561]: session.c::do_child::1671 : s->authctxt->force_pwchange == 0, subsystem == 'sftp'
2.20: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6561]: session.c::do_child::1691 : options.use_login == 0, subsystem == 'sftp'
2.21: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6561]: session.c::do_child::1709 : calling 'do_setusercontext(pw)' ...: subsystem == 'sftp'
2.22: 2012-05-16 14:29:55 SecurityEvent sshd SC-2-1 info sshd[6561]: session.c::do_setusercontext::1563 : (UID == 20011, EUID == 20011): EXITING FROM 'do_setusercontext()': options.chroot_directory == '/data/opt/ap/nbi_fuse', subsystem == 'sftp'


/*
 * Privilege Separation DISABLED
 */

3.01: 2012-05-16 14:32:15 SystemEvent monitord SC-2-1 info monitord: sshd_new: Task started (/opt/ap/apos/sbin/sshd -D -f /etc/ssh/sshd_new_config)
3.02: 2012-05-16 14:32:15 SystemEvent monitord SC-2-1 info monitord: sshd_new_internal: Task started (/opt/ap/apos/sbin/sshd -D -f /etc/ssh/sshd_new_config_internal)
3.03: 2012-05-16 14:32:15 SecurityEvent sshd SC-2-1 info sshd[13220]: Server listening on 0.0.0.0 port 4422.
3.04: 2012-05-16 14:32:15 SecurityEvent sshd SC-2-1 info sshd[13223]: Server listening on 192.168.1.1 port 1022.
3.05: 2012-05-16 14:32:15 SecurityEvent sshd SC-2-1 info sshd[13220]: Server listening on :: port 4422.
3.06: 2012-05-16 14:32:15 SecurityEvent sshd SC-2-1 info sshd[13220]: Server listening on 0.0.0.0 port 830.
3.07: 2012-05-16 14:32:15 SecurityEvent sshd SC-2-1 info sshd[13220]: Server listening on :: port 830.
3.08: 2012-05-16 14:32:15 SecurityEvent sshd SC-2-1 info sshd[13220]: Server listening on 0.0.0.0 port 22.
3.09: 2012-05-16 14:32:15 SecurityEvent sshd SC-2-1 info sshd[13220]: Server listening on :: port 22.

/* USER ROOT (PRIVILEGED) */
4.01: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14702]: auth.c::getpwnamallow : AUTHENTICATION (UID == 0, EUID == 0): Parsing server match config options: user == 'root', host == '141.137.37.21', address == '141.137.37.21', subsystem == '(null)'
4.02: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14702]: Accepted keyboard-interactive/pam for root from 141.137.37.21 port 60509 ssh2
4.03: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14702]: session.c::session_input_channel_req::2328 : (UID == 0, EUID == 0): SESSION INPUT CHANNEL REQUEST: c->type == 10, rtype == 'simple@putty.projects.tartarus.org', subsystem == '(null)'
4.04: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14702]: session.c::session_input_channel_req::2328 : (UID == 0, EUID == 0): SESSION INPUT CHANNEL REQUEST: c->type == 10, rtype == 'subsystem', subsystem == '(null)'
4.05: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14702]: session.c::session_subsystem_req::2145 : subsystem request (UID == 0, EUID == 0): subsystem == 'sftp', options.chroot_directory == '(null)', subsytem == '(null)'
4.06: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14702]: subsystem request for sftp by user root
4.07: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14702]: subsystem request (UID == 0, EUID == 0): Parsing server match config options: user == '(null)', host == '(null)', address == '(null)', subsystem == 'sftp'
4.08: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14702]: session.c::session_subsystem_req::2188 : subsystem request for sftp by user root found at index 0: cmd == 'internal-sftp', subsystem == 'sftp'
4.09: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14702]: session.c::session_subsystem_req::2190 : subsystem request (UID == 0, EUID == 0): options.chroot_directory == '/data/opt/ap/nbi_fuse'
4.10: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14702]: session.c::do_exec::836 : (UID == 0, EUID == 0): s->ttyfd == -1, subsystem == 'sftp'
4.11: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14704]: session.c::do_exec_no_pty::526 : (UID == 0, EUID == 0): FORKED INTO the CHILD PROCESS: subsystem == 'sftp'
4.12: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14704]: session.c::do_child::1664 : ENTERING DO_CHILD: subsystem == 'sftp'
4.13: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14704]: session.c::do_child::1671 : s->authctxt->force_pwchange == 0, subsystem == 'sftp'
4.14: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14704]: session.c::do_child::1691 : options.use_login == 0, subsystem == 'sftp'
4.15: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14704]: session.c::do_child::1709 : calling 'do_setusercontext(pw)' ...: subsystem == 'sftp'
4.16: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14704]: session.c::do_setusercontext::1496 : (UID == 0, EUID == 0): I'm running with root privileged rights: subsystem == 'sftp'
4.17: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14704]: session.c::do_setusercontext::1522 : (UID == 0, EUID == 0): BEFORE calling 'platform_setusercontext_post_groups(pw)' ...: subsystem == 'sftp'
4.18: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14704]: session.c::do_setusercontext::1529 : (UID == 0, EUID == 0): AFTER called 'platform_setusercontext_post_groups(pw)': options.chroot_directory == '/data/opt/ap/nbi_fuse', subsystem == 'sftp'
4.19: 2012-05-16 14:32:48 SecurityEvent sshd SC-2-1 info sshd[14704]: session.c::do_setusercontext::1541 : (UID == 0, EUID == 0): calling 'safely_chroot(chroot_path, pw->pw_uid)' ...: subsystem == 'sftp'

/* USER CPADMIN (NOT PRIVILEGED) */
5.01: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20357]: auth.c::getpwnamallow : AUTHENTICATION (UID == 0, EUID == 0): Parsing server match config options: user == 'cpadmin', host == '141.137.37.21', address == '141.137.37.21', subsystem == '(null)'
5.02: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20357]: Accepted keyboard-interactive/pam for cpadmin from 141.137.37.21 port 60511 ssh2
5.03: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20357]: session.c::session_input_channel_req::2328 : (UID == 0, EUID == 0): SESSION INPUT CHANNEL REQUEST: c->type == 10, rtype == 'simple@putty.projects.tartarus.org', subsystem == '(null)'
5.04: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20357]: session.c::session_input_channel_req::2328 : (UID == 0, EUID == 0): SESSION INPUT CHANNEL REQUEST: c->type == 10, rtype == 'subsystem', subsystem == '(null)'
5.05: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20357]: session.c::session_subsystem_req::2145 : subsystem request (UID == 0, EUID == 0): subsystem == 'sftp', options.chroot_directory == '(null)', subsytem == '(null)'
5.06: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20357]: subsystem request for sftp by user cpadmin
5.07: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20357]: subsystem request (UID == 0, EUID == 0): Parsing server match config options: user == '(null)', host == '(null)', address == '(null)', subsystem == 'sftp'
5.08: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20357]: session.c::session_subsystem_req::2188 : subsystem request for sftp by user cpadmin found at index 0: cmd == 'internal-sftp', subsystem == 'sftp'
5.09: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20357]: session.c::session_subsystem_req::2190 : subsystem request (UID == 0, EUID == 0): options.chroot_directory == '/data/opt/ap/nbi_fuse'
5.10: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20357]: session.c::do_exec::836 : (UID == 0, EUID == 0): s->ttyfd == -1, subsystem == 'sftp'
5.11: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20359]: session.c::do_exec_no_pty::526 : (UID == 0, EUID == 0): FORKED INTO the CHILD PROCESS: subsystem == 'sftp'
5.12: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20359]: session.c::do_child::1664 : ENTERING DO_CHILD: subsystem == 'sftp'
5.13: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20359]: session.c::do_child::1671 : s->authctxt->force_pwchange == 0, subsystem == 'sftp'
5.14: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20359]: session.c::do_child::1691 : options.use_login == 0, subsystem == 'sftp'
5.15: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20359]: session.c::do_child::1709 : calling 'do_setusercontext(pw)' ...: subsystem == 'sftp'
5.16: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20359]: session.c::do_setusercontext::1496 : (UID == 0, EUID == 0): I'm running with root privileged rights: subsystem == 'sftp'
5.17: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20359]: session.c::do_setusercontext::1522 : (UID == 0, EUID == 0): BEFORE calling 'platform_setusercontext_post_groups(pw)' ...: subsystem == 'sftp'
5.18: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20359]: session.c::do_setusercontext::1529 : (UID == 0, EUID == 0): AFTER called 'platform_setusercontext_post_groups(pw)': options.chroot_directory == '/data/opt/ap/nbi_fuse', subsystem == 'sftp'
5.19: 2012-05-16 14:34:43 SecurityEvent sshd SC-2-1 info sshd[20359]: session.c::do_setusercontext::1541 : (UID == 0, EUID == 0): calling 'safely_chroot(chroot_path, pw->pw_uid)' ...: subsystem == 'sftp'