syslog logging

From: Gregory Hicks (ghicks_at_cadence.com)
Date: 08/03/04

  • Next message: Plummer Jason-CJP016: "RE: How to Restrict a user, not a root, Login to the Console?"
    Date: Mon, 2 Aug 2004 19:19:18 -0700 (PDT)
    To: focus-sun@securityfocus.com
    
    

    Greetings:

    I've tried to figure this out, but haven't had much success. I'm
    trying to log various events with syslog. These events are;

    - All sudo activities
    - Anyone who does "su - "
    - Any reboot information
    - Anything that could be related with "root" command

    Remote logging is easy.
    mail.debug /var/log/syslog, @loghost

    Sudo is fairly easy - logging via syslog is compiled in. I have this
    in syslog.conf:

    local2.emerg;local2.alert;local2.crit;local2.err;local2.warning;local2.debug;local2.i
    nfo;local2.info @loghost"
    (The above takes care of everything...)

    su events not so easy. logging for this is done to /var/adm/sulog...
    According to /etc/default/su,

    # SYSLOG determines whether the syslog(3) LOG_AUTH facility should be
    # used to log all su attempts. LOG_NOTICE messages are generated for
    # su's to root, LOG_INFO messages are generated for su's to other users,
    # and LOG_CRIT messages are generated for failed su attempt.

    However, I've got SYSLOG=YES in /etc/default/su ... And nothing is
    logged to /var/adm/messages... I see this

    ("'su root' succeeded for ghicks on /dev/pts/22")

    on the console, but nothing in messages...

    Further... Reboot info... Reboot ("init 6")doesn't seem to log
    ANYTHING - except for the messages the syslog daemon put out whilst
    going down ("machine-name syslogd: going down on signal 15") and the
    various config messages the system generates coming up... The 'last'
    command lists WHEN the reboot occurred, but where is it logged that it
    was done?

    Finally... How about logging "anything that could be caused by root?
    A keystroke logger only activated when root logs in (or su's)? Is
    there such a thing?

    Any thoughts on how to attack this?

    Assist will be appreciated.

    Regards,
    Gregory Hicks

    ---------------------------------------------------------------------
    Gregory Hicks | Principal Systems Engineer
    Cadence Design Systems | Direct: 408.576.3609
    555 River Oaks Pkwy M/S 6B1
    San Jose, CA 95134

    I am perfectly capable of learning from my mistakes. I will surely
    learn a great deal today.

    "A democracy is a sheep and two wolves deciding on what to have for
    lunch. Freedom is a well armed sheep contesting the results of the
    decision." - Benjamin Franklin

    "The best we can hope for concerning the people at large is that they
    be properly armed." --Alexander Hamilton


  • Next message: Plummer Jason-CJP016: "RE: How to Restrict a user, not a root, Login to the Console?"