Unix/Linux Go Back    


Security Discuss UNIX and Linux computer and network security, cyber security, cyber attacks, IT security, and more.

Log Review- SU

Security


Closed    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 09-17-2015
Tilus Tilus is offline
Registered User
 
Join Date: Sep 2015
Last Activity: 18 September 2015, 10:04 AM EDT
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Log Review- SU

Hi,

Can some please provide some hints on what to look for in unix/Linux logs such as sulog from a Information security perspective.

Regards
Sponsored Links
    #2  
Old Unix and Linux 09-17-2015
zaxxon's Unix or Linux Image
zaxxon zaxxon is online now Forum Staff  
code tag tagger
 
Join Date: Sep 2007
Last Activity: 24 February 2017, 2:41 AM EST
Location: St. Gallen, Switzerland
Posts: 6,544
Thanks: 168
Thanked 553 Times in 476 Posts
Repetitive failed tries could be a hint for some unusual behaviour.

Else you might go look up this log when something bad has happened already to get a clue afterwards who might have been it.

If this is not enough and you are looking for some more information, which commands have been issued by whom etc., you might want to have a look at an auditing suite.
Maybe auditd is available for your Linux distribution.
Sponsored Links
    #3  
Old Unix and Linux 09-22-2015
rbatte1 rbatte1 is offline Forum Staff  
Root armed
 
Join Date: Jun 2007
Last Activity: 23 February 2017, 11:53 AM EST
Location: Lancashire, UK
Posts: 3,011
Thanks: 1,252
Thanked 575 Times in 522 Posts
Our policy is that every use of su or sudo has to be explained. Just collecting the records and challenging is a good start, however I added something in to /etc/profile that tries to log all the commands too. There are certainly some flaws with it and it depends on people doing su - or su - username to run the profile and therefore be effective, but that has always been the habit here, so I got away with that.

There were various other application specific things embedded in the code but having stripped that out, I think this might still work:-
Code:
function lgcmd
{
 cur_cmd_seq=`fc -l -0 | cut -f1`
 if [ "$cur_cmd_seq" != "$prev_cmd_seq" ]
 then
    prev_cmd_seq="$cur_cmd_seq"
    /usr/bin/logger "on $PTS as `id -un`: `fc -l -0 | cut -f2-`"
 fi
}

prev_cmd_seq=                  # Set as null in case shell refuses unset variables
trap lgcmd DEBUG

You would need to determine the pseudo-terminal as $PTS but the rest gives you a fairly good trace to challenge people with.


I hope that this helps,
Robin
Sponsored Links
Closed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Please, review script. algernonz Shell Programming and Scripting 1 11-09-2008 09:01 PM



All times are GMT -4. The time now is 04:03 AM.