Re: syslog logging

From: Charles Heselton (charles.heselton_at_gmail.com)
Date: 08/04/04

  • Next message: Andrew J Caines: "Re: syslog logging"
    Date: Tue, 3 Aug 2004 19:33:48 -0700
    To: Gregory Hicks <ghicks@cadence.com>
    
    

    On Mon, 2 Aug 2004 19:19:18 -0700 (PDT), Gregory Hicks
    <ghicks@cadence.com> wrote:
    > Greetings:
    >
    > I've tried to figure this out, but haven't had much success. I'm
    > trying to log various events with syslog. These events are;
    >
    > - All sudo activities
    > - Anyone who does "su - "
    > - Any reboot information
    > - Anything that could be related with "root" command
    >
    > Remote logging is easy.
    > mail.debug /var/log/syslog, @loghost
    >
    > Sudo is fairly easy - logging via syslog is compiled in. I have this
    > in syslog.conf:
    >
    > local2.emerg;local2.alert;local2.crit;local2.err;local2.warning;local2.debug;local2.i
    > nfo;local2.info @loghost"

    I *believe* this could be handled by:

    local2.* @loghost

    > (The above takes care of everything...)
    >
    > su events not so easy. logging for this is done to /var/adm/sulog...
    > According to /etc/default/su,
    >
    > # SYSLOG determines whether the syslog(3) LOG_AUTH facility should be
    > # used to log all su attempts. LOG_NOTICE messages are generated for
    > # su's to root, LOG_INFO messages are generated for su's to other users,
    > # and LOG_CRIT messages are generated for failed su attempt.
    >
    > However, I've got SYSLOG=YES in /etc/default/su ... And nothing is
    > logged to /var/adm/messages... I see this
    >
    > ("'su root' succeeded for ghicks on /dev/pts/22")
    >
    > on the console, but nothing in messages...

    Have you checked /var/log/sulog ?

    >
    > Further... Reboot info... Reboot ("init 6")doesn't seem to log
    > ANYTHING - except for the messages the syslog daemon put out whilst
    > going down ("machine-name syslogd: going down on signal 15") and the
    > various config messages the system generates coming up... The 'last'
    > command lists WHEN the reboot occurred, but where is it logged that it
    > was done?
    >
    > Finally... How about logging "anything that could be caused by root?
    > A keystroke logger only activated when root logs in (or su's)? Is
    > there such a thing?
    >
    > Any thoughts on how to attack this?

    If you want to log EVERYTHING, then I would think that you would have
    to install an actual keylogger, and figure out some way to kick it off
    when the current euid is root (0). That seems a bit like
    "big-brother-is-watching-you" to me. I f you're building a
    honey-pot...OK....I can see that. If this is an internal system with
    multiple users, it seems a bit of overkill. Be that as it may, I
    think you answer is in auditing not just logging. Try googling fo
    "Solaris auditing", or "Solaris audit.conf", and unless you *want* to
    be "big-brother", this should suffice.

    >
    > Assist will be appreciated.
    >
    > Regards,
    > Gregory Hicks
    >
    > ---------------------------------------------------------------------
    > Gregory Hicks | Principal Systems Engineer
    > Cadence Design Systems | Direct: 408.576.3609
    > 555 River Oaks Pkwy M/S 6B1
    > San Jose, CA 95134
    >
    > I am perfectly capable of learning from my mistakes. I will surely
    > learn a great deal today.
    >
    > "A democracy is a sheep and two wolves deciding on what to have for
    > lunch. Freedom is a well armed sheep contesting the results of the
    > decision." - Benjamin Franklin
    >
    > "The best we can hope for concerning the people at large is that they
    > be properly armed." --Alexander Hamilton
    >
    >

    -- 
    Charlie Heselton
    Network Security Engineer
    

  • Next message: Andrew J Caines: "Re: syslog logging"

    Relevant Pages

    • Re: Annoying system logging problem...
      ... >> logging seems to get all jammed up. ... When it crams up, I can't log in as root, or anyone else. ... as does anything else that uses the syslog facility. ... Any relevant and/or useful help would be much appreciated. ...
      (alt.os.linux)
    • syslog logging
      ... - All sudo activities ... Anything that could be related with "root" command ... Sudo is fairly easy - logging via syslog is compiled in. ...
      (Focus-SUN)
    • Re: The case of the read-only USB sticks.
      ... partitioning, file systems, etc. ... I will investigate and provide syslog data for the old read- ... If I have to be root, perhaps it's some mount permission problem I'm ... be hard to figure out the proper unmounting protocol. ...
      (Debian-User)
    • Re: Permissions on /var/log/ files
      ... runs as root and can write to the file, ... syslog. ... the logs should ... To unsubscribe or change subscription options: ...
      (Fedora)
    • Re: Seeing who has su-ed
      ... >who do an su to become root, then rather than exiting, they su again to go ... A typical default would direct logging to syslog, ...
      (Focus-Linux)