08-13-2013
su, and the sulog, assumes that the user is already logged in - so their is no IP address - other than their login shell.
The danger of relying on sulog is that is only fairly certain to tell about the failed attempts - as long as they are only failures. Once successful, a good (at it) hacker will edit that file - removing their entries.
1) to get IP addresses you will need to use the audit mechanism. I will look into that - thanks for the topic for my next blog :wink:,
2) to protect your logs you will need something to make them trustable. The solution "used to be" expensive tamper-proof, or near tamper-proof (such as WORM - write-once-read-many) devices. But this are hard (next to impossible) to attach to all virtual machines (aka LPAR/partition). The solution for AIX is to use the "Trusted Log" component of POWERSC.
Hope this helps - and thanks again for the blog idea.
Michael
This User Gave Thanks to MichaelFelt For This Post:
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
In my organization in order for anyone to go to any Unix server they have to go through "SERVER A" and login as themselves.
Then people are free to go enywhere they please.
For example:
SERVER A, loggs in as himself
telnets to SERVER B, loggs in as guest
telnets to SERVER C, loggs in as... (8 Replies)
Discussion started by: jraitsev
8 Replies
2. UNIX for Dummies Questions & Answers
All,
I want to run a non-root script as the root user with non-root environment variables with crontab. The non-root user would have environment variables for database access such as Oracle or Sybase. The root user does not have the Oracle or Sybase enviroment variables. I thought you could do... (2 Replies)
Discussion started by: bubba112557
2 Replies
3. IP Networking
hi everybody ,
i have a solaris 5.6 box and i want to trace the route on an ip i treid traceroute but soalris 5.6 does not support it ...
is there a command that can be used equivelent to traceroute ?
thanks for your help (2 Replies)
Discussion started by: ppass
2 Replies
4. UNIX for Dummies Questions & Answers
Can someone help me with commands to trace DHCP on an HP_UX box?
Thanks! (0 Replies)
Discussion started by: nuGuy
0 Replies
5. HP-UX
Hi,
Last day, In one of our unix boxes there was an issue wherein few of the directory structures were missing / got deleted.
Is there any way by which we can find how it happened, I mean by going through syslog / which user had run what command?
Thanks for your help (3 Replies)
Discussion started by: vivek_damodaran
3 Replies
6. Shell Programming and Scripting
Hi
I am working in ksh and getting the trace after trying to remove the file which in some cases does not exist:
$ my_script
loadfirm.dta.master: No such file or directory
The code inside the script which produces this trace is the following:
] || rm ${FILE}.master >> /dev/null
for... (3 Replies)
Discussion started by: aoussenko
3 Replies
7. UNIX for Dummies Questions & Answers
What is the command to check the activity of all users with root access on a Unix platform? Right now, there is like about 20 users with root and someone accidentally made some changes to the crontab and I need to trace which user did it. (5 Replies)
Discussion started by: hedkandi
5 Replies
8. Solaris
Hi All
After downloading ZFS documentation from oracle site, I am able to successfully migrate UFS root FS without zones to ZFS root FS. But in case of UFS root file system with zones , I am successfully able to migrate global zone to zfs root file system but zone are still in UFS root file... (2 Replies)
Discussion started by: sb200
2 Replies
9. UNIX for Dummies Questions & Answers
Hi,
I am an oracle DBA pretty new to unix. We had one of the filesystems full and a colleague cleared some stuffs to create more space. I just checked now and found there is now more space available. How do i find exactly what he cleared? We have oracle database installed and its a RAC... (4 Replies)
Discussion started by: dollypee
4 Replies
10. Shell Programming and Scripting
Hi All
Thought it would be kind of fun to implement a stack trace for a shell script that calls functions within a sub shell. This is for bash under Linux and probably not portable -
#! /bin/bash
error_exit()
{
echo "======================="
echo $1
echo... (4 Replies)
Discussion started by: steadyonabix
4 Replies
AULAST:(8) System Administration Utilities AULAST:(8)
NAME
aulast - a program similar to last
SYNOPSIS
aulast [ options ] [ user ] [ tty ]
DESCRIPTION
aulast is a program that prints out a listing of the last logged in users similarly to the program last and lastb. Aulast searches back
through the audit logs or the given audit log file and displays a list of all users logged in (and out) based on the range of time in the
audit logs. Names of users and tty's can be given, in which case aulast will show only those entries matching the arguments. Names of ttys
can be abbreviated, thus aulast 0 is the same as last tty0.
The pseudo user reboot logs in each time the system is rebooted. Thus last reboot will show a log of all reboots since the log file was
created.
The main difference that a user will notice is that aulast print events from oldest to newest, while last prints records from newest to
oldest. Also, the audit system is not notified each time a tty or pty is allocated, so you may not see quite as many records indicating
users and their tty's.
OPTIONS
--bad Report on the bad logins.
--extract
Write raw audit records used to create the displayed report into a file aulast.log in the current working directory.
-f file
Use the file instead of the audit logs for input.
--proof
Print out the audit event serial numbers used to determine the preceeding line of the report. A Serial number of 0 is a place holder
and not an actual event serial number. The serial numbers can be used to examine the actual audit records in more detail. Also an
ausearch query is printed that will let you find the audit records associated with that session.
--stdin
Take audit records from stdin.
EXAMPLES
To see this month's logins
ausearch --start this-month --raw | aulast --stdin
SEE ALSO
last(1), lastb(1), ausearch(8), aureport(8).
AUTHOR
Steve Grubb
Red Hat Nov 2008 AULAST:(8)