- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: why would syslog report an action as "unknown"...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-19-2007 03:34 AM
тАО06-19-2007 03:34 AM
Rp8420
HPUX 11.11
Patch level
# swlist | grep 2006
GOLDAPPS11i B.11.11.0612.459 Applications Patches for HP-UX 11i v1, December 2006
GOLDBASE11i B.11.11.0612.459 Base Patches for HP-UX 11i v1, December 2006
HWEnable11i B.11.11.0612.458 Hardware Enablement Patches for HP-UX 11i v1, December 2006
OnlineDiag B.11.11.18.05 HPUX 11.11 Support Tools Bundle, Dec 2006
root@b8mkesd6[/root]
#
Our auditors are putting the heat on me to resolve why on one server su actions are clearly logged to syslog and on another server they are not. I realize I can get su activity from the /var/adm/su log but the auditors are adamant on obtaining the su activity from syslog.
The log of the "non-working" server identifies other activity like, ftpd, ssh, but no su. To be honest IтАЩm not sure what happens тАЬbehind the scenesтАЭ when someone authenticates to a server and exactly how the log gets updated. If I knew that, I might be able to figure out why I see the inconsistency between these two servers.
Here is the difference.
b8mkesd6 --Not working
I'll su from my regular account to root, now I have another window open running tail тАУf on the syslog ---Notice it doesn't even list my regular user account as logging in or the action being performed. Just the "unknown" entry
b8mkesd6:/home/techsup/creindk> whoami
creindk
b8mkesd6:/home/techsup/creindk> su -
Password: -----------I successfully key in password and get authenticated here.
HERE IS the SYSLOG
Jun 19 08:26:48 b8mkesd6 unknown[21299]: WARN pam Authentication for user 'root': User is mapped to a non-existent Active Directory account. Passing user to next service module.
b8mkesd6:/root> what /usr/bin/su
/usr/bin/su:
$Revision: @(#) su R11.11_BL2006_0308_2 PATCH_11.11 PHCO_34545
b8mkesd6:/root>
b8mkese1 --Working
I'll su from my regular account to root, now watch I'll tail тАУf the syslog. ----Notice it gives the action being performed and the user, me in this case, that is su(ing)
Jun 19 08:36:19 b8mkese1 su[2446]: WARN pam Authentication for user 'root': User is mapped to a non-existent Active Directory account. Passing user to next service module.
Jun 19 08:36:26 b8mkese1 su[2446]: + td creindk-root
b8mkese1:/home/techsup/creindk > whoami
creindk
b8mkese1:/home/techsup/creindk > su -
Password:
Notice the su patch on the working server (b8mkese1) is actually older.
b8mkese1:/home/techsup/creindk > what /usr/bin/su
/usr/bin/su:
$Revision: @(#) all CUP11.11_BL2002_1004_2 PATCH_11.11 PHCO_27781
Fri Oct 4 00:27:58 PDT 2002 $
b8mkese1:/home/techsup/creindk >
IтАЩve opened a call to HP, but it seems like there response has been slipping during this outsource transition.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-19-2007 05:12 AM
тАО06-19-2007 05:12 AM
Re: why would syslog report an action as "unknown" when it is clear I'm su(ing)
# kill -HUP `cat /var/run/syslog.pid`
Then see if the issue still persists.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-19-2007 05:20 AM
тАО06-19-2007 05:20 AM
SolutionI'd recommend Court's idea.
Also perhaps reboot the system if practical.
If this persists, I would see what files are missing on the system. Maybe wtmp or btmp are missing or some other critical log file is missing in action.
Check that permissions in /etc/passwd are the same on both systems since thats where the user information comes from.
ITRC has always been faster than the response center.
What is this outsource transition about? I've never heard of it.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-19-2007 06:51 AM
тАО06-19-2007 06:51 AM
Re: why would syslog report an action as "unknown" when it is clear I'm su(ing)
I've re-read the config for the syslog daemon but still the same result.
Both systems in question belong to the same NIS domain.
wtmp and btmp look are in place and get updated with login and last and lastb are functioning.
Unfortunately I will not be able to reboot the machine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-19-2007 07:13 AM
тАО06-19-2007 07:13 AM
Re: why would syslog report an action as "unknown" when it is clear I'm su(ing)
I'd schedule a reboot and prior to that do an exhaustive comparison of working to non-working machine.
check file ownership and permissions. Any small variance can be the source of this problem.
Just for grins, make sure the system clocks are close to real time. ntp is your friend here.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-19-2007 11:45 AM
тАО06-19-2007 11:45 AM
Re: why would syslog report an action as "unknown" when it is clear I'm su(ing)
You can do a "swverify \*" on each system and then compare.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-20-2007 01:58 AM
тАО06-20-2007 01:58 AM
Re: why would syslog report an action as "unknown" when it is clear I'm su(ing)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-20-2007 08:43 AM
тАО06-20-2007 08:43 AM
Re: why would syslog report an action as "unknown" when it is clear I'm su(ing)
That's swverify as I said.