syslog logging

From: Gregory Hicks (ghicks_at_cadence.com)
Date: 08/03/04

  • Next message: Plummer Jason-CJP016: "RE: How to Restrict a user, not a root, Login to the Console?"
    Date: Mon, 2 Aug 2004 19:19:18 -0700 (PDT)
    To: focus-sun@securityfocus.com
    
    

    Greetings:

    I've tried to figure this out, but haven't had much success. I'm
    trying to log various events with syslog. These events are;

    - All sudo activities
    - Anyone who does "su - "
    - Any reboot information
    - Anything that could be related with "root" command

    Remote logging is easy.
    mail.debug /var/log/syslog, @loghost

    Sudo is fairly easy - logging via syslog is compiled in. I have this
    in syslog.conf:

    local2.emerg;local2.alert;local2.crit;local2.err;local2.warning;local2.debug;local2.i
    nfo;local2.info @loghost"
    (The above takes care of everything...)

    su events not so easy. logging for this is done to /var/adm/sulog...
    According to /etc/default/su,

    # SYSLOG determines whether the syslog(3) LOG_AUTH facility should be
    # used to log all su attempts. LOG_NOTICE messages are generated for
    # su's to root, LOG_INFO messages are generated for su's to other users,
    # and LOG_CRIT messages are generated for failed su attempt.

    However, I've got SYSLOG=YES in /etc/default/su ... And nothing is
    logged to /var/adm/messages... I see this

    ("'su root' succeeded for ghicks on /dev/pts/22")

    on the console, but nothing in messages...

    Further... Reboot info... Reboot ("init 6")doesn't seem to log
    ANYTHING - except for the messages the syslog daemon put out whilst
    going down ("machine-name syslogd: going down on signal 15") and the
    various config messages the system generates coming up... The 'last'
    command lists WHEN the reboot occurred, but where is it logged that it
    was done?

    Finally... How about logging "anything that could be caused by root?
    A keystroke logger only activated when root logs in (or su's)? Is
    there such a thing?

    Any thoughts on how to attack this?

    Assist will be appreciated.

    Regards,
    Gregory Hicks

    ---------------------------------------------------------------------
    Gregory Hicks | Principal Systems Engineer
    Cadence Design Systems | Direct: 408.576.3609
    555 River Oaks Pkwy M/S 6B1
    San Jose, CA 95134

    I am perfectly capable of learning from my mistakes. I will surely
    learn a great deal today.

    "A democracy is a sheep and two wolves deciding on what to have for
    lunch. Freedom is a well armed sheep contesting the results of the
    decision." - Benjamin Franklin

    "The best we can hope for concerning the people at large is that they
    be properly armed." --Alexander Hamilton


  • Next message: Plummer Jason-CJP016: "RE: How to Restrict a user, not a root, Login to the Console?"

    Relevant Pages

    • Re: Annoying system logging problem...
      ... >> logging seems to get all jammed up. ... When it crams up, I can't log in as root, or anyone else. ... as does anything else that uses the syslog facility. ... Any relevant and/or useful help would be much appreciated. ...
      (alt.os.linux)
    • Re: syslog logging
      ... > Sudo is fairly easy - logging via syslog is compiled in. ... > A keystroke logger only activated when root logs in? ... Freedom is a well armed sheep contesting the results of the ...
      (Focus-SUN)
    • Re: The case of the read-only USB sticks.
      ... partitioning, file systems, etc. ... I will investigate and provide syslog data for the old read- ... If I have to be root, perhaps it's some mount permission problem I'm ... be hard to figure out the proper unmounting protocol. ...
      (Debian-User)
    • Re: Permissions on /var/log/ files
      ... runs as root and can write to the file, ... syslog. ... the logs should ... To unsubscribe or change subscription options: ...
      (Fedora)
    • Re: Seeing who has su-ed
      ... >who do an su to become root, then rather than exiting, they su again to go ... A typical default would direct logging to syslog, ...
      (Focus-Linux)