Log Review- SU


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
# 1  
Log Review- SU

Hi,

Can some please provide some hints on what to look for in unix/Linux logs such as sulog from a Information security perspective.

Regards
# 2  
Repetitive failed tries could be a hint for some unusual behaviour.

Else you might go look up this log when something bad has happened already to get a clue afterwards who might have been it.

If this is not enough and you are looking for some more information, which commands have been issued by whom etc., you might want to have a look at an auditing suite.
Maybe auditd is available for your Linux distribution.
# 3  
Our policy is that every use of su or sudo has to be explained. Just collecting the records and challenging is a good start, however I added something in to /etc/profile that tries to log all the commands too. There are certainly some flaws with it and it depends on people doing su - or su - username to run the profile and therefore be effective, but that has always been the habit here, so I got away with that.

There were various other application specific things embedded in the code but having stripped that out, I think this might still work:-
Code:
function lgcmd
{
 cur_cmd_seq=`fc -l -0 | cut -f1`
 if [ "$cur_cmd_seq" != "$prev_cmd_seq" ]
 then
    prev_cmd_seq="$cur_cmd_seq"
    /usr/bin/logger "on $PTS as `id -un`: `fc -l -0 | cut -f2-`"
 fi
}

prev_cmd_seq=                  # Set as null in case shell refuses unset variables
trap lgcmd DEBUG

You would need to determine the pseudo-terminal as $PTS but the rest gives you a fairly good trace to challenge people with.


I hope that this helps,
Robin
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

6 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

a shell script for review.

I have written a bit of shell that lets our company check all our SSL certs. the aim is to have a list of servers and run this check from cron once a week. Our managers have decided that we will not run BASH, so it has been written in /bin/sh and only needs openssl, no perl, no bash, no extra... (8 Replies)
Discussion started by: robsonde
8 Replies

2. Post Here to Contact Site Administrators and Moderators

Please review this thread wrt o/p

https://www.unix.com/unix-dummies-questions-answers/117633-top-output-specific-process-file-2.html (2 Replies)
Discussion started by: methyl
2 Replies

3. Solaris

please review this cron syntax

Dears if i want to run this job every Saturday at 6 AM that will be the code * 6 * * 1 cd /export/home/jenova ; ls -ltr >> $HOME/jenova_dir (2 Replies)
Discussion started by: jenovaux
2 Replies

4. Shell Programming and Scripting

Please, review script.

Hi guys, I 've been brewing this shellscript, but I can't test it until next tuesday. In the meantime I am too curious wether it will work or not, so I'd like to hear your comments. Background: I want to watch the user quota for mailboxes in various email-domains on a IMAP-server. I have... (1 Reply)
Discussion started by: algernonz
1 Replies

5. Shell Programming and Scripting

Review the Shell Script

Hi, I want to copy all the log file except current date log from one server to another server. Log File will be like this LOGNIG_08_11_2008*.log For this cd /test/log date -d '1 day ago' "+%d_%m_%Y" -->This command gives previous day scp LOGSNIG_date -d '1 day ago' "+%d_%m_%Y"... (2 Replies)
Discussion started by: srinivasvandana
2 Replies

6. Shell Programming and Scripting

Can some review my code would be appreicated?

I am getting an error "ftpNotes.sh: syntax error at line 8 : `<<' unmatched" #!/bin/ksh PATH=/usr/sbin/:/usr/bin:/usr/ucb:/etc:/usr/local/bin:. cd $HOME if ;then if ; then echo 'DSC file already ftp to epm server' else ftp -n epmdev00 <<SCRIPT... (1 Reply)
Discussion started by: sibghat
1 Replies

Featured Tech Videos