HPE Community
Operating System - HP-UX
1753731 Members
4324 Online
108799 Solutions
New Discussion юеВ

Syslog edition

 
Vijaya Ragavan_1
Occasional Advisor

тАО11-22-2009 11:09 PM

тАО11-22-2009 11:09 PM

Syslog edition

Is it possible to edit syslog.log file while system is running.if it is possible how to identify who is edited?

Please help me i am in trable.
0 Kudos
Reply
6 REPLIES 6
Johnson Punniyalingam
Honored Contributor

тАО11-22-2009 11:23 PM

тАО11-22-2009 11:23 PM

Re: Syslog edition

>>Is it possible to edit syslog.log file while system is running.if it is possible how to identify who is edited?

Please help me i am in trable.<<<

yes its possible.

i will assume person who have "root" access or privilege user can on edit the syslog.log

if syslog carried proper file permission as shown below

-rw-r--r-- 1 root root 846035 Nov 23 15:09 /var/adm/syslog/syslog.log

How to check ?

if auditing as been enable you check, if not

last -R root |more -> look for the IP address and the time when was the syslog.log has been edited. may give you clue :)

Hope This helps,

Regards,
Johnson
Problems are common to all, but attitude makes the difference
0 Kudos
Reply
Kapil Jha
Honored Contributor

тАО11-22-2009 11:26 PM

тАО11-22-2009 11:26 PM

Re: Syslog edition

yeh i think it can be edited while system is running [ i tried it, worked ], and regarding who edited it only root can edit it cause it has 644 permission,

Now if you want to find which user logged in as root [ if you don give root passwd ]
then you may have to use some other s/w likes powerbroker etc.

BR,
Kapil+
I am in this small bowl, I wane see the real world......
0 Kudos
Reply
Vijaya Ragavan_1
Occasional Advisor

тАО11-22-2009 11:32 PM

тАО11-22-2009 11:32 PM

Re: Syslog edition

i have checked with last -R root, but no root entry was there at that time.if somebody edited the /var/adm/wtmp file then last -R will not show.
0 Kudos
Reply
Kapil Jha
Honored Contributor

тАО11-22-2009 11:46 PM

тАО11-22-2009 11:46 PM

Re: Syslog edition

if your user can directly enter root passwd, then its pretty difficult to figure it out.

For future you can use 'script' command in profile file [ to capture everything a user do ] and then save it somewhere for your referemce.

FOr the time being I think its not possible who edited.

BR,
Kapil+
I am in this small bowl, I wane see the real world......
0 Kudos
Reply
Hakki Aydin Ucar
Honored Contributor

тАО11-23-2009 12:47 AM

тАО11-23-2009 12:47 AM

Re: Syslog edition

Hi,

The best way who accessed this file use either a script with cronjob OR install HIDS software from HP. The second way is great of course. Go to this link to see first method:
http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1377980

if prefer the second method:
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS

it is up to you,
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО11-23-2009 08:45 AM

тАО11-23-2009 08:45 AM

Re: Syslog edition

> i have checked with last -R root, but no root entry was there at that time.if somebody edited the /var/adm/wtmp file then last -R will not show

last -R only shows logins and logouts. A root user may login and edit every file in the system. You can see these commands that were executed in the root user $HOME directory in the file .sh_history. If that file is not present, then there are no records of what root did when logged in. The .sh_history file is an absolute requirement (for all users) in a secure system.

But giving the root password to anyone is always a security risk. The better choice is to use sudo (download from HP) and set rules for each user's capabilities.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.