LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-27-2007, 01:36 PM   #1
beammeup
LQ Newbie
 
Registered: Mar 2005
Location: Worcester, MA
Distribution: RHEL 3, 4, 5, CentOS 5.x
Posts: 15

Rep: Reputation: 0
Extract SU attempts to separate log


I have a SOX requirement from my security team to maintain a log of su attempts for an indefinite period of time. I am wondering if it is possible to create a specific log (if one doesn't already exist) to capture and keep any su to root attempts both successful and failed.

Thanks.
 
Old 08-27-2007, 03:07 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
a specific log (if one doesn't already exist)
Tried "grep su.pam_unix /var/log/messages"?


maintain a log of su attempts for an indefinite period of time.
Change /var/log/messages retention settings in /etc/logrotate.d/* or grep and export to another log.


I have a SOX requirement from my security team
Note this only logs the "su" auth part and not what commands the user does execute. If you need a more detailed audit trail you will want a logging shell wrapper like 'rootsh' or 'sudosh' (combined with remote logging to a syslog server).
 
Old 08-27-2007, 10:26 PM   #3
MichaelWhite
LQ Newbie
 
Registered: Aug 2006
Posts: 2

Rep: Reputation: 0
Edit /etc/syslog.conf to redirect everything to a separate log file (e.g. auth.log). Check on the man pages.
 
Old 08-28-2007, 01:44 AM   #4
FrankMabrey
LQ Newbie
 
Registered: Nov 2001
Location: Left Coast
Posts: 6

Rep: Reputation: 0
A quick shell script can grep each day's su attempts to a separate log.

TODAY-DATE=`date +"%b %d"`
SERVER-NAME="foobar"
ATTEMPTED-SU-LOG=/var/log/su.attempts
grep "$TODAY-DATE" /var/log/messages | grep "$SERVER-NAME su" >>"$ATTEMPTED-SU-LOG"
 
Old 09-01-2007, 09:01 AM   #5
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
Did you test that code before you posted it?
Code:
# TODAY-DATE=`date +"%b %d"`
-su: TODAY-DATE=Sep: command not found
# echo $TODAY-DATE
-DATE
I believe you'll find that '-' is not a legal character in shell variables, although '_' is.

Furthermore, on my MEPIS 6.0 system:
Code:
# date +"%b %d"
Sep 01
while:
Code:
# less -S /var/log/messages |tail -1
Sep  1 08:34:40 localhost -- MARK --
This discrepancy in date format means that your date grep will not work for me as written. I am curious what your (unnamed) distro & OP's RHEL show.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh...log files that store the login attempts Bgrad Linux - Networking 4 03-29-2010 09:40 AM
SSH Alert when root attempts to log gamehack Linux - Software 3 06-03-2009 06:44 AM
/var/log/messages shows failed login attempts... plan9 Linux - Security 8 08-08-2004 12:52 PM
Log failures to a separate file nielchiano Linux - General 0 02-17-2004 03:59 PM
Increase Log in attempts from 1 chrisk5527 Linux - Newbie 5 01-31-2004 02:07 PM


All times are GMT -5. The time now is 11:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration