Tracking user logins that was allowed and not allowed
 

I am running a Linux Red Hat 9 box for a application server. The Auditors now whant's a detailed log of everybody that logs in and any errors that was given to them e.g. bad passwords wrong login time?

Hi,

I can only point you to the 'obvious' log files and commands. With 'obvious' I mean logins that are to the machine itself (ftp,shell,ssh etc).

This is probably not enough (or even what the auditors want).

Why? Because you say that this box is an application server. All/some of the application have their own log directory (all depending on how things are installed/configured).

This information should be present in the (functional/technical) documentation/designs that came with the apps that are installed. Or (which is kinda scary) inside the head of the person(s) that installed it.

Ok, here's some info, but like I stated before this is probably not (all) that the auditors want:

/var/log => Holds multiple logfiles and/or directories with logfiles. Naming and what is logged depends, among other things, on syslog and its configuration (/etc/syslog.conf).

Take a look at messages, this is a more general logfile with all kinds of (login) information.

last and lastlog are 2 commands that deal with logins. If faillog is setup, take a look at that command too.

Hope this clears things up a bit.

When you mention ur running an application server...whats this application all about?...what I mean is...try and find out what components it uses to get itself working...

eg..Apache for a web frontend(so you look in the docs for places where Apache stores its logs)

Oracle as a database backend...look at Oracle auditing...I'm no SQL guru...but I do believe you can get all teh audit logs with a couple of simple queries

And as Drunni mentioned...the /var/log directory holds a lot of info....that should be more than sufficient for the auditors...trust me...

I'll tell you what they r looking at .. they are just trying to find out whether your processes are in order...they are not bothered about how good or how many pages your logs are...they just want to know whether all the important stuff is logged so you can find out info incase of a compromise...

So..
1.Find out the application logs ; give it to them
2.Find out the db logs ; give it to them
3.Get all the system logs ; give it to them
4.Segregate the login(system) , su , ssh , remote logins and give it to them

They'll be happy....and dont give them all teh logs from lsat week...start off from atleast a month back...hopefully u shud find all you need...

All the best from a fellow auditor :)

Thanx
 

Thanxs for the HELP..