Re: syslog logging
From: Charles Heselton (charles.heselton_at_gmail.com)
Date: Tue, 3 Aug 2004 19:33:48 -0700 To: Gregory Hicks <firstname.lastname@example.org>
On Mon, 2 Aug 2004 19:19:18 -0700 (PDT), Gregory Hicks
> I've tried to figure this out, but haven't had much success. I'm
> trying to log various events with syslog. These events are;
> - All sudo activities
> - Anyone who does "su - "
> - Any reboot information
> - Anything that could be related with "root" command
> Remote logging is easy.
> mail.debug /var/log/syslog, @loghost
> Sudo is fairly easy - logging via syslog is compiled in. I have this
> in syslog.conf:
> nfo;local2.info @loghost"
I *believe* this could be handled by:
> (The above takes care of everything...)
> su events not so easy. logging for this is done to /var/adm/sulog...
> According to /etc/default/su,
> # SYSLOG determines whether the syslog(3) LOG_AUTH facility should be
> # used to log all su attempts. LOG_NOTICE messages are generated for
> # su's to root, LOG_INFO messages are generated for su's to other users,
> # and LOG_CRIT messages are generated for failed su attempt.
> However, I've got SYSLOG=YES in /etc/default/su ... And nothing is
> logged to /var/adm/messages... I see this
> ("'su root' succeeded for ghicks on /dev/pts/22")
> on the console, but nothing in messages...
Have you checked /var/log/sulog ?
> Further... Reboot info... Reboot ("init 6")doesn't seem to log
> ANYTHING - except for the messages the syslog daemon put out whilst
> going down ("machine-name syslogd: going down on signal 15") and the
> various config messages the system generates coming up... The 'last'
> command lists WHEN the reboot occurred, but where is it logged that it
> was done?
> Finally... How about logging "anything that could be caused by root?
> A keystroke logger only activated when root logs in (or su's)? Is
> there such a thing?
> Any thoughts on how to attack this?
If you want to log EVERYTHING, then I would think that you would have
to install an actual keylogger, and figure out some way to kick it off
when the current euid is root (0). That seems a bit like
"big-brother-is-watching-you" to me. I f you're building a
honey-pot...OK....I can see that. If this is an internal system with
multiple users, it seems a bit of overkill. Be that as it may, I
think you answer is in auditing not just logging. Try googling fo
"Solaris auditing", or "Solaris audit.conf", and unless you *want* to
be "big-brother", this should suffice.
> Assist will be appreciated.
> Gregory Hicks
> Gregory Hicks | Principal Systems Engineer
> Cadence Design Systems | Direct: 408.576.3609
> 555 River Oaks Pkwy M/S 6B1
> San Jose, CA 95134
> I am perfectly capable of learning from my mistakes. I will surely
> learn a great deal today.
> "A democracy is a sheep and two wolves deciding on what to have for
> lunch. Freedom is a well armed sheep contesting the results of the
> decision." - Benjamin Franklin
> "The best we can hope for concerning the people at large is that they
> be properly armed." --Alexander Hamilton
-- Charlie Heselton Network Security Engineer