Re: syslog logging

• Previous message: Reg Quinton: "Re: How to Restrict a user, not a root, Login to the Console?"
• In reply to: Gregory Hicks: "syslog logging"
• Next in thread: Andrew J Caines: "Re: syslog logging"
• Reply: Andrew J Caines: "Re: syslog logging"
• Reply: Rex Monty di Bona: "Re: syslog logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 3 Aug 2004 19:33:48 -0700
To: Gregory Hicks <ghicks@cadence.com>

On Mon, 2 Aug 2004 19:19:18 -0700 (PDT), Gregory Hicks
<ghicks@cadence.com> wrote:
> Greetings:
>
> I've tried to figure this out, but haven't had much success. I'm
> trying to log various events with syslog. These events are;
>
> - All sudo activities
> - Anyone who does "su - "
> - Any reboot information
> - Anything that could be related with "root" command
>
> Remote logging is easy.
> mail.debug /var/log/syslog, @loghost
>
> Sudo is fairly easy - logging via syslog is compiled in. I have this
> in syslog.conf:
>
> local2.emerg;local2.alert;local2.crit;local2.err;local2.warning;local2.debug;local2.i
> nfo;local2.info @loghost"

I *believe* this could be handled by:

local2.* @loghost

> (The above takes care of everything...)
>
> su events not so easy. logging for this is done to /var/adm/sulog...
> According to /etc/default/su,
>
> # SYSLOG determines whether the syslog(3) LOG_AUTH facility should be
> # used to log all su attempts. LOG_NOTICE messages are generated for
> # su's to root, LOG_INFO messages are generated for su's to other users,
> # and LOG_CRIT messages are generated for failed su attempt.
>
> However, I've got SYSLOG=YES in /etc/default/su ... And nothing is
> logged to /var/adm/messages... I see this
>
> ("'su root' succeeded for ghicks on /dev/pts/22")
>
> on the console, but nothing in messages...

Have you checked /var/log/sulog ?

>
> Further... Reboot info... Reboot ("init 6")doesn't seem to log
> ANYTHING - except for the messages the syslog daemon put out whilst
> going down ("machine-name syslogd: going down on signal 15") and the
> various config messages the system generates coming up... The 'last'
> command lists WHEN the reboot occurred, but where is it logged that it
> was done?
>
> Finally... How about logging "anything that could be caused by root?
> A keystroke logger only activated when root logs in (or su's)? Is
> there such a thing?
>
> Any thoughts on how to attack this?

If you want to log EVERYTHING, then I would think that you would have
to install an actual keylogger, and figure out some way to kick it off
when the current euid is root (0). That seems a bit like
"big-brother-is-watching-you" to me. I f you're building a
honey-pot...OK....I can see that. If this is an internal system with
multiple users, it seems a bit of overkill. Be that as it may, I
think you answer is in auditing not just logging. Try googling fo
"Solaris auditing", or "Solaris audit.conf", and unless you *want* to
be "big-brother", this should suffice.

>
> Assist will be appreciated.
>
> Regards,
> Gregory Hicks
>
> ---------------------------------------------------------------------
> Gregory Hicks | Principal Systems Engineer
> Cadence Design Systems | Direct: 408.576.3609
> 555 River Oaks Pkwy M/S 6B1
> San Jose, CA 95134
>
> I am perfectly capable of learning from my mistakes. I will surely
> learn a great deal today.
>
> "A democracy is a sheep and two wolves deciding on what to have for
> lunch. Freedom is a well armed sheep contesting the results of the
> decision." - Benjamin Franklin
>
> "The best we can hope for concerning the people at large is that they
> be properly armed." --Alexander Hamilton
>
>

-- 
Charlie Heselton
Network Security Engineer

• Previous message: Reg Quinton: "Re: How to Restrict a user, not a root, Login to the Console?"
• In reply to: Gregory Hicks: "syslog logging"
• Next in thread: Andrew J Caines: "Re: syslog logging"
• Reply: Andrew J Caines: "Re: syslog logging"
• Reply: Rex Monty di Bona: "Re: syslog logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]