barnett@crdgw1.crd.ge.com (Bruce Barnett) (07/25/89)
How does Ultrix 3.0 log security errors, like bad "su" to root, attempts to log in that fail because of too many bad passwords, etc? I can't get the information I want from syslog or uerf. What am I missing? -- Bruce G. Barnett <barnett@crdgw1.ge.com> a.k.a. <barnett@[192.35.44.4]> uunet!crdgw1.ge.com!barnett barnett@crdgw1.UUCP
grr@cbmvax.UUCP (George Robbins) (07/25/89)
In article <1338@crdgw1.crd.ge.com> barnett@crdgw1.crd.ge.com (Bruce Barnett) writes: > How does Ultrix 3.0 log security errors, like bad "su" to root, > attempts to log in that fail because of too many bad passwords, etc? > > I can't get the information I want from syslog or uerf. What am I missing? The SU/BADSU infomation is written to /usr/adm/sulog and the console, but not to the syslog system. I'm not sure that this is what I'd call a big win. The multiple login failures are written to syslog as "REPEATED LOGIN FAILURE MESSAGES". A misfeature new in 3.1 is that now all SU's are being logged to both the file and the console. This means that if you have something in crontab that does a "su -c somebody "fun commands", you get a lot of silly SU messages on your console that only say "root did an su", since it doesn't bother to indicate what account was being su'd to. Here is the script I run from crontab to report on intersting events and clean up some log files. I wouldn't take it literally, but one might use if as a guide of things you might want to do. It's a heavily munged version of the 4.3BSD script, not from Ultrix. #! /bin/sh # This is a shell archive, meaning: # 1. Remove everything above the #! /bin/sh line. # 2. Save the resulting text in a file. # 3. Execute the file with /bin/sh (not csh) to create the files: # daily # uuload # This archive created: Mon Jul 24 21:52:57 1989 export PATH; PATH=/bin:$PATH echo shar: extracting "'daily'" '(2078 characters)' if test -f 'daily' then echo shar: will not over-write existing file "'daily'" else sed 's/^ X//' << \SHAR_EOF > 'daily' X#! /bin/sh - X( XPATH=/usr/local:/usr/ucb:/bin:/usr/bin:/etc Xecho "Subject: daily run output" X Xecho "" Xecho "Removing scratch and junk files:" Xfind /tmp -atime +3 -exec rm -f {} \; X Xcd /tmp; find . ! -name . ! -name lost+found -type d \ X -mtime +1 -exec rmdir {} \; X X#cd /usr/tmp; find . ! -name . ! -name lost+found \ X# -mtime +7 -exec rm -f {} \; X# X#cd /usr/tmp; find . ! -name . ! -name lost+found -type d \ X# -mtime +1 -exec rmdir {} \; X Xfind /usr/preserve -type f -mtime +14 -exec rm -f {} \; X X#find / \( -name '[#,]*' -o -name '.#*' -o -name core -o -name '*.CKP' -o -name '.emacs_[0-9]*' \) \ X# -a -atime +3 -exec rm -f {} \; X Xecho "" Xecho "Cleanup up Messages:" Xmsgs -c X X#echo "" X#echo "Running news expire" X#echo "" X#/usr/new/lib/news/expire X X#echo "" X#echo "Purging accounting records:" X#/etc/sa -s > /dev/null X Xecho "" Xecho "Running calendar:" Xcalendar - X X#echo "" X#echo "Rotating mail syslog:" X#cd /usr/spool/mqueue X#rm syslog.7 X#mv syslog.6 syslog.7 X#mv syslog.5 syslog.6 X#mv syslog.4 syslog.5 X#mv syslog.3 syslog.4 X#mv syslog.2 syslog.3 X#mv syslog.1 syslog.2 X#mv syslog.0 syslog.1 X#mv syslog syslog.0 X#cp /dev/null syslog X#chmod 644 syslog X#kill -1 `cat /etc/syslog.pid` X#cd / X X# extract summary/counts from uerf garbage X Xecho "" Xecho "Error Log Messages:" X/etc/uerf | \ X egrep '^MESSAGE|^ERROR' | \ X sed -e 's/.*MESSAGE *//' -e 's/.*ERROR SYNDROME *//' | \ X sort | \ X uniq -c X X# should do some kind of rotation... X Xecho "" Xecho "Super User Attempts:" Xcd /usr/adm Xcat sulog Xcp /dev/null sulog Xchmod 644 sulog Xkill -1 `cat /etc/syslog.pid` Xcd / X X#echo "Rebuilding find database:" X#su nobody << EOF X# /usr/lib/find/updatedb X#EOF X X#echo "" X#echo "Cleaning up UUCP:" X#su uucp << EOF X# /usr/lib/uucp/clean.daily X#EOF X X#echo "" X#echo "Running rdist:" X#rdist -f /usr/local/lib/Distfile > /usr/adm/rdist-errs 2>&1 X X#echo "" X#echo "Checking filesystems:" X#sync X#/etc/fsck -n | grep -v '^\*\* Phase' X Xecho "Checking subsystem status:" Xecho "" Xecho "disks:" Xdf X Xecho "" Xecho "mail:" Xmailq X Xecho "" Xecho "uucp:" X/usr/local/bin/uuload X) 2>&1 | mail root SHAR_EOF if test 2078 -ne "`wc -c < 'daily'`" then echo shar: error transmitting "'daily'" '(should have been 2078 characters)' fi chmod +x 'daily' fi # end of overwriting check echo shar: extracting "'uuload'" '(616 characters)' if test -f 'uuload' then echo shar: will not over-write existing file "'uuload'" else sed 's/^ X//' << \SHAR_EOF > 'uuload' X#! /bin/sh X(cd /usr/spool/uucp/sys; du -s *) | \ X/usr/local/bin/nawk ' XBEGIN { X normal=10/12 X fast=14/19.2 X bad=3/12 X baud["DEFAULT"]=1200*normal X baud["amiga"]=19200*fast X baud["bpa"]=19200*fast X baud["cbm"]=9600*fast X baud["cbmbsw"]=9600*normal X baud["hutch"]=1200*normal X baud["rutgers"]=19200*fast X baud["snark"]=19200*normal X baud["uunet"]=19200*fast X baud["vu-vlsi"]=19200*fast X baud["mecca-s"]=19200*fast X fudge=4 X} X{ X blocks=$1 X name=$2 X if ((speed = baud[name]) == 0) X speed=1200*normal; X time=((blocks-fudge)*1024/(speed/10))/60 X if (time >= 1) X printf "%-10s%2d:%02d\n", name, time / 60, time % 60 X}' - SHAR_EOF if test 616 -ne "`wc -c < 'uuload'`" then echo shar: error transmitting "'uuload'" '(should have been 616 characters)' fi chmod +x 'uuload' fi # end of overwriting check # End of shell archive exit 0 -- George Robbins - now working for, uucp: {uunet|pyramid|rutgers}!cbmvax!grr but no way officially representing arpa: cbmvax!grr@uunet.uu.net Commodore, Engineering Department fone: 215-431-9255 (only by moonlite)
davew@gvgpsa.GVG.TEK.COM (David C. White) (07/25/89)
In article <1338@crdgw1.crd.ge.com> barnett@crdgw1.crd.ge.com (Bruce Barnett) writes: >How does Ultrix 3.0 log security errors, like bad "su" to root, >attempts to log in that fail because of too many bad passwords, etc? To check for bad "su" attempts, look in /var/adm/sulog. A failed "su" will look like this: BADSU: davew /dev/ttyp4 Mon Jul 24 15:18:57 1989 (OK, so I can't type sometimes) For failed login attempts, they should get logged in /var/spool/mqueue/syslog. You may have your logging level set wrong in /etc/syslog.conf. Check the man page on "syslog(8)" on how to set the logging levels. -- Dave White Grass Valley Group, Inc. VOICE: +1 916.478.3052 P.O. Box 1114 Grass Valley, CA 95945 FAX: +1 916.478.3778 Internet: davew@gvgpsa.gvg.tek.com UUCP: ...!tektronix!gvgpsa!davew