cancel
Showing results for 
Search instead for 
Did you mean: 

Syslog edition

Vijaya Ragavan_1
Occasional Advisor

Syslog edition

Is it possible to edit syslog.log file while system is running.if it is possible how to identify who is edited?

Please help me i am in trable.
6 REPLIES
Johnson Punniyalingam
Honored Contributor

Re: Syslog edition

>>Is it possible to edit syslog.log file while system is running.if it is possible how to identify who is edited?

Please help me i am in trable.<<<

yes its possible.

i will assume person who have "root" access or privilege user can on edit the syslog.log

if syslog carried proper file permission as shown below

-rw-r--r-- 1 root root 846035 Nov 23 15:09 /var/adm/syslog/syslog.log

How to check ?

if auditing as been enable you check, if not

last -R root |more -> look for the IP address and the time when was the syslog.log has been edited. may give you clue :)

Hope This helps,

Regards,
Johnson
Problems are common to all, but attitude makes the difference
Kapil Jha
Honored Contributor

Re: Syslog edition

yeh i think it can be edited while system is running [ i tried it, worked ], and regarding who edited it only root can edit it cause it has 644 permission,

Now if you want to find which user logged in as root [ if you don give root passwd ]
then you may have to use some other s/w likes powerbroker etc.

BR,
Kapil+
I am in this small bowl, I wane see the real world......
Vijaya Ragavan_1
Occasional Advisor

Re: Syslog edition

i have checked with last -R root, but no root entry was there at that time.if somebody edited the /var/adm/wtmp file then last -R will not show.
Kapil Jha
Honored Contributor

Re: Syslog edition

if your user can directly enter root passwd, then its pretty difficult to figure it out.

For future you can use 'script' command in profile file [ to capture everything a user do ] and then save it somewhere for your referemce.

FOr the time being I think its not possible who edited.

BR,
Kapil+
I am in this small bowl, I wane see the real world......
Hakki Aydin Ucar
Honored Contributor

Re: Syslog edition

Hi,

The best way who accessed this file use either a script with cronjob OR install HIDS software from HP. The second way is great of course. Go to this link to see first method:
http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1377980

if prefer the second method:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS

it is up to you,
Bill Hassell
Honored Contributor

Re: Syslog edition

> i have checked with last -R root, but no root entry was there at that time.if somebody edited the /var/adm/wtmp file then last -R will not show

last -R only shows logins and logouts. A root user may login and edit every file in the system. You can see these commands that were executed in the root user $HOME directory in the file .sh_history. If that file is not present, then there are no records of what root did when logged in. The .sh_history file is an absolute requirement (for all users) in a secure system.

But giving the root password to anyone is always a security risk. The better choice is to use sudo (download from HP) and set rules for each user's capabilities.


Bill Hassell, sysadmin