HPE Community
Operating System - HP-UX
1752802 Members
4932 Online
108789 Solutions
New Discussion юеВ

Re: How to check security logs

 
gb karki
Frequent Advisor

тАО03-09-2009 10:16 PM

тАО03-09-2009 10:16 PM

How to check security logs

Hi,

Some body has changed passwd policy from /etc/default/security with out enable the shadow file. How to check who has changed this.

Regards
Karki
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

тАО03-09-2009 10:37 PM

тАО03-09-2009 10:37 PM

Re: How to check security logs

Shalom,

First check permissions on the file.

I think you will find that only root can change /etc/default/security

So someone either directly logged on as root, which you can see in /var/adm/syslog/syslog.log

Or someone did an su to root which shows up in the same file.

You can check the time stamp on the security file and match it up with su entries and such.

I would immediately change the root password and check the systems for back doors that elevate normal users to root access.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
gb karki
Frequent Advisor

тАО03-09-2009 10:40 PM

тАО03-09-2009 10:40 PM

Re: How to check security logs

I checked in /var/adm/syslog/syslog.log but i'm not getting any messages.

Regards
Karki
0 Kudos
Reply
B. Hulst
Trusted Contributor

тАО03-10-2009 12:14 AM

тАО03-10-2009 12:14 AM

Re: How to check security logs

1. Check the timestamp of the file. When was it edited / saved?

2. Check with the command: last
who was logged in around that time of saving/ editing of the timestamp of step 1.

Ordinary users cannot edit this file but root or 'related to a root group' users can get more privileges to edit this file.

From the last command output you find the hostname or ip address where that root user came from. :-)
0 Kudos
Reply
Kapil Jha
Honored Contributor

тАО03-10-2009 12:19 AM

тАО03-10-2009 12:19 AM

Re: How to check security logs

DO u have any logging software like power broker,sudo....check for wtmp file but as said above normally only root can change the file , so you have to find out what time root logged into server or other users at the same time who can potntionally do a su.....do u have sudo defined.
Sysylog.log would not give u much information may be except if root passwd was wrongly entered.


BR
Kapil+
I am in this small bowl, I wane see the real world......
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.