Extract SU attempts to separate log

beammeup · 08-27-2007, 01:36 PM

I have a SOX requirement from my security team to maintain a log of su attempts for an indefinite period of time. I am wondering if it is possible to create a specific log (if one doesn't already exist) to capture and keep any su to root attempts both successful and failed.

Thanks.

unSpawn · 08-27-2007, 03:07 PM

a specific log (if one doesn't already exist)
Tried "grep su.pam_unix /var/log/messages"?

maintain a log of su attempts for an indefinite period of time.
Change /var/log/messages retention settings in /etc/logrotate.d/* or grep and export to another log.

I have a SOX requirement from my security team
Note this only logs the "su" auth part and not what commands the user does execute. If you need a more detailed audit trail you will want a logging shell wrapper like 'rootsh' or 'sudosh' (combined with remote logging to a syslog server).

MichaelWhite · 08-27-2007, 10:26 PM

Edit /etc/syslog.conf to redirect everything to a separate log file (e.g. auth.log). Check on the man pages.

FrankMabrey · 08-28-2007, 01:44 AM

A quick shell script can grep each day's su attempts to a separate log.

TODAY-DATE=`date +"%b %d"`
SERVER-NAME="foobar"
ATTEMPTED-SU-LOG=/var/log/su.attempts
grep "$TODAY-DATE" /var/log/messages | grep "$SERVER-NAME su" >>"$ATTEMPTED-SU-LOG"

archtoad6 · 09-01-2007, 09:01 AM

Did you test that code before you posted it?

Code:

# TODAY-DATE=`date +"%b %d"`
-su: TODAY-DATE=Sep: command not found
# echo $TODAY-DATE
-DATE

I believe you'll find that '-' is not a legal character in shell variables, although '_' is.

Furthermore, on my MEPIS 6.0 system:

Code:

# date +"%b %d"
Sep 01

while:

Code:

# less -S /var/log/messages |tail -1
Sep  1 08:34:40 localhost -- MARK --

This discrepancy in date format means that your date grep will not work for me as written. I am curious what your (unnamed) distro & OP's RHEL show.