LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-27-2006, 05:21 AM   #1
eswanepoel
LQ Newbie
 
Registered: Aug 2004
Posts: 10

Rep: Reputation: 0
Tracking user logins that was allowed and not allowed


I am running a Linux Red Hat 9 box for a application server. The Auditors now whant's a detailed log of everybody that logs in and any errors that was given to them e.g. bad passwords wrong login time?

Last edited by eswanepoel; 07-27-2006 at 06:19 AM.
 
Old 07-27-2006, 09:16 AM   #2
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374Reputation: 2374
Hi,

I can only point you to the 'obvious' log files and commands. With 'obvious' I mean logins that are to the machine itself (ftp,shell,ssh etc).

This is probably not enough (or even what the auditors want).

Why? Because you say that this box is an application server. All/some of the application have their own log directory (all depending on how things are installed/configured).

This information should be present in the (functional/technical) documentation/designs that came with the apps that are installed. Or (which is kinda scary) inside the head of the person(s) that installed it.

Ok, here's some info, but like I stated before this is probably not (all) that the auditors want:

/var/log => Holds multiple logfiles and/or directories with logfiles. Naming and what is logged depends, among other things, on syslog and its configuration (/etc/syslog.conf).

Take a look at messages, this is a more general logfile with all kinds of (login) information.

last and lastlog are 2 commands that deal with logins. If faillog is setup, take a look at that command too.

Hope this clears things up a bit.
 
Old 07-27-2006, 01:20 PM   #3
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
When you mention ur running an application server...whats this application all about?...what I mean is...try and find out what components it uses to get itself working...

eg..Apache for a web frontend(so you look in the docs for places where Apache stores its logs)

Oracle as a database backend...look at Oracle auditing...I'm no SQL guru...but I do believe you can get all teh audit logs with a couple of simple queries

And as Drunni mentioned...the /var/log directory holds a lot of info....that should be more than sufficient for the auditors...trust me...

I'll tell you what they r looking at .. they are just trying to find out whether your processes are in order...they are not bothered about how good or how many pages your logs are...they just want to know whether all the important stuff is logged so you can find out info incase of a compromise...

So..
1.Find out the application logs ; give it to them
2.Find out the db logs ; give it to them
3.Get all the system logs ; give it to them
4.Segregate the login(system) , su , ssh , remote logins and give it to them

They'll be happy....and dont give them all teh logs from lsat week...start off from atleast a month back...hopefully u shud find all you need...

All the best from a fellow auditor

Last edited by live_dont_exist; 07-27-2006 at 01:25 PM.
 
Old 08-02-2006, 04:37 AM   #4
eswanepoel
LQ Newbie
 
Registered: Aug 2004
Posts: 10

Original Poster
Rep: Reputation: 0
Thanx

Thanxs for the HELP..
Quote:
Originally Posted by live_dont_exist
When you mention ur running an application server...whats this application all about?...what I mean is...try and find out what components it uses to get itself working...

eg..Apache for a web frontend(so you look in the docs for places where Apache stores its logs)

Oracle as a database backend...look at Oracle auditing...I'm no SQL guru...but I do believe you can get all teh audit logs with a couple of simple queries

And as Drunni mentioned...the /var/log directory holds a lot of info....that should be more than sufficient for the auditors...trust me...

I'll tell you what they r looking at .. they are just trying to find out whether your processes are in order...they are not bothered about how good or how many pages your logs are...they just want to know whether all the important stuff is logged so you can find out info incase of a compromise...

So..
1.Find out the application logs ; give it to them
2.Find out the db logs ; give it to them
3.Get all the system logs ; give it to them
4.Segregate the login(system) , su , ssh , remote logins and give it to them

They'll be happy....and dont give them all teh logs from lsat week...start off from atleast a month back...hopefully u shud find all you need...

All the best from a fellow auditor
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Method Not Allowed: The requested method POST is not allowed for the URL /writedhcp.p WiWa Linux - Networking 15 01-06-2011 01:20 PM
User is not allowed to write in a directory xpucto Linux - Newbie 3 04-19-2006 09:06 AM
SlackWare :Method Not Allowed The requested method POST is not allowed for the URL slack31337 Linux - Software 0 04-08-2006 06:09 PM
Root Logins are not allowed martincho Debian 10 01-30-2005 06:55 PM
ssh logins not allowed - keyboard something student04 Linux - Networking 10 01-04-2005 04:03 AM


All times are GMT -5. The time now is 12:06 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration