syslog logging
From: Gregory Hicks (ghicks_at_cadence.com)
Date: 08/03/04
- Previous message: Rex Monty di Bona: "Re: How to Restrict a user, not a root, Login to the Console?"
- Next in thread: Charles Heselton: "Re: syslog logging"
- Reply: Charles Heselton: "Re: syslog logging"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 2 Aug 2004 19:19:18 -0700 (PDT) To: focus-sun@securityfocus.com
Greetings:
I've tried to figure this out, but haven't had much success. I'm
trying to log various events with syslog. These events are;
- All sudo activities
- Anyone who does "su - "
- Any reboot information
- Anything that could be related with "root" command
Remote logging is easy.
mail.debug /var/log/syslog, @loghost
Sudo is fairly easy - logging via syslog is compiled in. I have this
in syslog.conf:
local2.emerg;local2.alert;local2.crit;local2.err;local2.warning;local2.debug;local2.i
nfo;local2.info @loghost"
(The above takes care of everything...)
su events not so easy. logging for this is done to /var/adm/sulog...
According to /etc/default/su,
# SYSLOG determines whether the syslog(3) LOG_AUTH facility should be
# used to log all su attempts. LOG_NOTICE messages are generated for
# su's to root, LOG_INFO messages are generated for su's to other users,
# and LOG_CRIT messages are generated for failed su attempt.
However, I've got SYSLOG=YES in /etc/default/su ... And nothing is
logged to /var/adm/messages... I see this
("'su root' succeeded for ghicks on /dev/pts/22")
on the console, but nothing in messages...
Further... Reboot info... Reboot ("init 6")doesn't seem to log
ANYTHING - except for the messages the syslog daemon put out whilst
going down ("machine-name syslogd: going down on signal 15") and the
various config messages the system generates coming up... The 'last'
command lists WHEN the reboot occurred, but where is it logged that it
was done?
Finally... How about logging "anything that could be caused by root?
A keystroke logger only activated when root logs in (or su's)? Is
there such a thing?
Any thoughts on how to attack this?
Assist will be appreciated.
Regards,
Gregory Hicks
---------------------------------------------------------------------
Gregory Hicks | Principal Systems Engineer
Cadence Design Systems | Direct: 408.576.3609
555 River Oaks Pkwy M/S 6B1
San Jose, CA 95134
I am perfectly capable of learning from my mistakes. I will surely
learn a great deal today.
"A democracy is a sheep and two wolves deciding on what to have for
lunch. Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin
"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton
- Previous message: Rex Monty di Bona: "Re: How to Restrict a user, not a root, Login to the Console?"
- Next in thread: Charles Heselton: "Re: syslog logging"
- Reply: Charles Heselton: "Re: syslog logging"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
