Extract SU attempts to separate log
I have a SOX requirement from my security team to maintain a log of su attempts for an indefinite period of time. I am wondering if it is possible to create a specific log (if one doesn't already exist) to capture and keep any su to root attempts both successful and failed.
Thanks. |
a specific log (if one doesn't already exist)
Tried "grep su.pam_unix /var/log/messages"? maintain a log of su attempts for an indefinite period of time. Change /var/log/messages retention settings in /etc/logrotate.d/* or grep and export to another log. I have a SOX requirement from my security team Note this only logs the "su" auth part and not what commands the user does execute. If you need a more detailed audit trail you will want a logging shell wrapper like 'rootsh' or 'sudosh' (combined with remote logging to a syslog server). |
Edit /etc/syslog.conf to redirect everything to a separate log file (e.g. auth.log). Check on the man pages.
|
A quick shell script can grep each day's su attempts to a separate log.
TODAY-DATE=`date +"%b %d"` SERVER-NAME="foobar" ATTEMPTED-SU-LOG=/var/log/su.attempts grep "$TODAY-DATE" /var/log/messages | grep "$SERVER-NAME su" >>"$ATTEMPTED-SU-LOG" |
Did you test that code before you posted it?
Code:
# TODAY-DATE=`date +"%b %d"` Furthermore, on my MEPIS 6.0 system: Code:
# date +"%b %d" Code:
# less -S /var/log/messages |tail -1 |
All times are GMT -5. The time now is 10:13 PM. |