is it possible to trace everything about user that changes from its own user to root user, failed and successful attempts (I would need user and IP address of user that was trying to do that)?
I tried adding auth.notice and auth.info in syslog.conf but it only tracks user withoud IP address but I would need more information about user that tried to switch to root user.
...
Each time the su command is executed, an entry is made in the /var/adm/sulog file. The /var/adm/sulog file records the following information: date, time, system name, and login name. The
/var/adm/sulog file also records whether or not the login attempt was successful: a + (plus sign) indicates a successful login, and a - (minus sign) indicates an unsuccessful login.
...
When you know all this, you could pick the date, login and system name entry for the suspicous line and could cross check with the output of last and find out which line relates to it.
As Zaxxon, mentioned. 1st look at the sulog file under "/var/adm", and then check 'last' command. Or other way for last command is cd to /var/adm and run "who -u wtmp" (same o/p as last, as last command reads the o/p from this file itself).
You should be able to track the user by username, its terminal, hostname/IP address, date and time.
Location: on the road for work; home is private time
Posts: 456
Thanks Given: 10
Thanked 108 Times in 100 Posts
su, and the sulog, assumes that the user is already logged in - so their is no IP address - other than their login shell.
The danger of relying on sulog is that is only fairly certain to tell about the failed attempts - as long as they are only failures. Once successful, a good (at it) hacker will edit that file - removing their entries.
1) to get IP addresses you will need to use the audit mechanism. I will look into that - thanks for the topic for my next blog :wink:,
2) to protect your logs you will need something to make them trustable. The solution "used to be" expensive tamper-proof, or near tamper-proof (such as WORM - write-once-read-many) devices. But this are hard (next to impossible) to attach to all virtual machines (aka LPAR/partition). The solution for AIX is to use the "Trusted Log" component of POWERSC.
Hope this helps - and thanks again for the blog idea.
Michael
This User Gave Thanks to MichaelFelt For This Post:
We have a separate server that is just a syslog collector. In /etc/syslog.conf, we have the following entry added along with anything to local disk files you want to keep:-
Code:
*.debug @111.222.333.444
So anything written via syslog is immediate duplicated to that address.
This traps anything that you have set up to write to the syslog, including login, failed-login, FTP trace(if you have it) SSH connections etc. along with any catastrophic system failure, and the log may give you a clue to get restarted again.
We kept the definition as IP to stop anyone fiddling with the DNS entry first. Of course, then you have to defend the server collecting the syslog output, but that might be easier as you can write firewall rules pretty tightly around it and only let in the syslog traffic. Access for us is via the (virtual) console only and reports can be requested and out-bound FTP is allowed to get the reports to the LAN.
I think that the syslog collector uses software from the security company RSA, but I might be wrong. You could always use your own though.
Hi All
Thought it would be kind of fun to implement a stack trace for a shell script that calls functions within a sub shell. This is for bash under Linux and probably not portable -
#! /bin/bash
error_exit()
{
echo "======================="
echo $1
echo... (4 Replies)
Hi,
I am an oracle DBA pretty new to unix. We had one of the filesystems full and a colleague cleared some stuffs to create more space. I just checked now and found there is now more space available. How do i find exactly what he cleared? We have oracle database installed and its a RAC... (4 Replies)
Hi All
After downloading ZFS documentation from oracle site, I am able to successfully migrate UFS root FS without zones to ZFS root FS. But in case of UFS root file system with zones , I am successfully able to migrate global zone to zfs root file system but zone are still in UFS root file... (2 Replies)
What is the command to check the activity of all users with root access on a Unix platform? Right now, there is like about 20 users with root and someone accidentally made some changes to the crontab and I need to trace which user did it. (5 Replies)
Hi
I am working in ksh and getting the trace after trying to remove the file which in some cases does not exist:
$ my_script
loadfirm.dta.master: No such file or directory
The code inside the script which produces this trace is the following:
] || rm ${FILE}.master >> /dev/null
for... (3 Replies)
Hi,
Last day, In one of our unix boxes there was an issue wherein few of the directory structures were missing / got deleted.
Is there any way by which we can find how it happened, I mean by going through syslog / which user had run what command?
Thanks for your help (3 Replies)
hi everybody ,
i have a solaris 5.6 box and i want to trace the route on an ip i treid traceroute but soalris 5.6 does not support it ...
is there a command that can be used equivelent to traceroute ?
thanks for your help (2 Replies)
All,
I want to run a non-root script as the root user with non-root environment variables with crontab. The non-root user would have environment variables for database access such as Oracle or Sybase. The root user does not have the Oracle or Sybase enviroment variables. I thought you could do... (2 Replies)
In my organization in order for anyone to go to any Unix server they have to go through "SERVER A" and login as themselves.
Then people are free to go enywhere they please.
For example:
SERVER A, loggs in as himself
telnets to SERVER B, loggs in as guest
telnets to SERVER C, loggs in as... (8 Replies)
08-13-2013
