topic Re: How to Hide Syslog file in Operating System - HP-UX

How to Hide Syslog file

Laurie A. Krumrey — Fri, 11 Jan 2002 20:03:38 GMT

Hi All,

We have Trusted HP-UX Servers (11.0 and 11.11)
and I want to hide the syslog files. Basically
if someone gets in they might try to cover
their tracks by editing the syslog.log file.

Now how could I setup to syslog.log into another directory instead of /var/adm/syslog
and called the file another name, like
stuff.save.

But then I would have to change the /etc/syslog.conf file or else a hacker
could find where I am hiding tne new syslog.

Any thoughts?

Also (part 2 here) I want to know how to have
an audit trail of everyone who ftp's and
telnet's in.

Thank You,
Laurie

Re: How to Hide Syslog file

Craig Rants — Fri, 11 Jan 2002 20:08:54 GMT

Don't know of a way to hide syslog.log unless you recompile to not use a syslog.conf file and put all the directives in the C code.

Second part, auth.info is standard syslog entry for putting login info into syslog.log. Test the auth facility with some different serverity levels to see which one shows what you are looking for.

GL,
C

Re: How to Hide Syslog file

Sridhar Bhaskarla — Fri, 11 Jan 2002 20:08:57 GMT

Hi Laurie,

The best method is to send the syslogs to a remote syslog server and restrict access to only people who are authorized. This way you dont have to worry about it.

Modifying the syslog.conf file like

*.info @someotherserver

will send the message to someotherserver

Do not create any accounts on someotherserver except for few admins and periodically check the server.

Make note still the hacker will know where the messages go but he/she can't get to it with usual methods.

-Sri

Re: How to Hide Syslog file

Sanjay_6 — Fri, 11 Jan 2002 20:11:16 GMT

Hi Laurie,

You can edit the syslog configuration file /etc/syslog.conf. The file name is specified over there. If you want to change the location of this file, stop the syslog daemon and edit the conf file and then restart the syslog daemon. Do a "man syslog.conf" for more info.

Hope this helps.

Regds

Re: How to Hide Syslog file

Mark Greene_1 — Fri, 11 Jan 2002 20:13:36 GMT

Redirect sysloging to a seperate system that is either serially connected to your main system, or is on a private network between the two. Do not put it on the main network. This severly limits the access to the sysloging system, and thus protects the log from hacker access.

You have to add the system name to the /etc/hosts file, but be sure to not allow remote shell commmands (i.e. don't put the sysloging system in any .rhost files) and be sure to have unique login ID's and passwords for the syslogging system.

HTH
mark

Re: How to Hide Syslog file

Jeff Machols — Fri, 11 Jan 2002 20:14:20 GMT

In order to track ftp, edit /etc/inetd.conf file and add -l to the ftp command

ftp stream ... ... ../lbin/ftpd ftp -l

you can also ftp -l -o -i to log every file transfered in or out (that goes to /var/adm/syslog/xferlog)

the telnet automaticaaly gets recorded in the /var/adm/wtmp file, you access this by doing the who, or last command

Re: How to Hide Syslog file

James R. Ferguson — Fri, 11 Jan 2002 20:16:45 GMT

Hi Laurie:

First, the normal permissions of '/var/adm/syslog/syslog.log' are 644 with owhership by root. This should prohibit the non-root user from writing to the file.

To enhance the logging done by the 'ftpd' daemon, add the '-l' and '-L', '-i' and/or '-o' options to the daemon initiation arguments in '/etc/inetd.conf' and restart the inetd daemon:

# /usr/sbin/inetd -c

See the man pages for 'ftpd' for 11.x for more information. On 10.x the '-l' and '-v' options apply.

Regards!

...JRF...

Re: How to Hide Syslog file

Jeff Machols — Fri, 11 Jan 2002 20:17:00 GMT

if you don't have another system to use a syslog server, you can create a daemon doeas something like

tail -f syslog.log > /root/log.

If somebody gets in as root they can still see the syslog.conf file, so if you go to a different server, make sure thr root password is different and there are no .rhosts or they can get over there and wipe it out

Re: How to Hide Syslog file

Helen French — Fri, 11 Jan 2002 20:17:05 GMT

Hi,

Check this out:

http://us-support.external.hp.com/cki/bin/doc.pl/sid=ade5f0e20142f3d856/screen=ckiDisplayDocument?docId=200000056855569

HTH,
Shiju

Re: How to Hide Syslog file

James R. Ferguson — Fri, 11 Jan 2002 20:29:46 GMT

Hi (again) Laurie:

I should also have noted for you that the permissions on the directory in which /var/adm/syslog/syslog.log resides (namely /var/adm/syslog) are normally 555 (r-x) which disallow the *removal* of the syslog.log by a non-root user. Hence if users can't write to the file and they can't remove the file, I don't see the worry.

Regards!

...JRF...

Re: How to Hide Syslog file

Deshpande Prashant — Fri, 11 Jan 2002 20:45:23 GMT

HI

For second part of your question, the ftpd daemon can be started with differnet options (-l, -L) from /etc/inetd.conf file.

Thanks.
Prashant.