HPE Community
Operating System - HP-UX
1836962 Members
2549 Online
110111 Solutions
New Discussion

Re: How to Hide Syslog file

 
SOLVED
Go to solution
Laurie A. Krumrey
Regular Advisor

‎01-11-2002 12:03 PM

‎01-11-2002 12:03 PM

How to Hide Syslog file

Hi All,

We have Trusted HP-UX Servers (11.0 and 11.11)
and I want to hide the syslog files. Basically
if someone gets in they might try to cover
their tracks by editing the syslog.log file.

Now how could I setup to syslog.log into another directory instead of /var/adm/syslog
and called the file another name, like
stuff.save.

But then I would have to change the /etc/syslog.conf file or else a hacker
could find where I am hiding tne new syslog.

Any thoughts?

Also (part 2 here) I want to know how to have
an audit trail of everyone who ftp's and
telnet's in.

Thank You,
Laurie

Happiness is a choice
0 Kudos
Reply
10 REPLIES 10
Craig Rants
Honored Contributor

‎01-11-2002 12:08 PM

‎01-11-2002 12:08 PM

Re: How to Hide Syslog file

Don't know of a way to hide syslog.log unless you recompile to not use a syslog.conf file and put all the directives in the C code.

Second part, auth.info is standard syslog entry for putting login info into syslog.log. Test the auth facility with some different serverity levels to see which one shows what you are looking for.

GL,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎01-11-2002 12:08 PM

‎01-11-2002 12:08 PM

Re: How to Hide Syslog file

Hi Laurie,

The best method is to send the syslogs to a remote syslog server and restrict access to only people who are authorized. This way you dont have to worry about it.

Modifying the syslog.conf file like

*.info @someotherserver

will send the message to someotherserver

Do not create any accounts on someotherserver except for few admins and periodically check the server.

Make note still the hacker will know where the messages go but he/she can't get to it with usual methods.


-Sri

You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎01-11-2002 12:11 PM

‎01-11-2002 12:11 PM

Re: How to Hide Syslog file

Hi Laurie,

You can edit the syslog configuration file /etc/syslog.conf. The file name is specified over there. If you want to change the location of this file, stop the syslog daemon and edit the conf file and then restart the syslog daemon. Do a "man syslog.conf" for more info.

Hope this helps.

Regds
0 Kudos
Reply
Mark Greene_1
Honored Contributor

‎01-11-2002 12:13 PM

‎01-11-2002 12:13 PM

Re: How to Hide Syslog file

Redirect sysloging to a seperate system that is either serially connected to your main system, or is on a private network between the two. Do not put it on the main network. This severly limits the access to the sysloging system, and thus protects the log from hacker access.

You have to add the system name to the /etc/hosts file, but be sure to not allow remote shell commmands (i.e. don't put the sysloging system in any .rhost files) and be sure to have unique login ID's and passwords for the syslogging system.

HTH
mark
the future will be a lot like now, only later
0 Kudos
Reply
Jeff Machols
Esteemed Contributor

‎01-11-2002 12:14 PM

‎01-11-2002 12:14 PM

Solution

Re: How to Hide Syslog file

In order to track ftp, edit /etc/inetd.conf file and add -l to the ftp command

ftp stream ... ... ../lbin/ftpd ftp -l

you can also ftp -l -o -i to log every file transfered in or out (that goes to /var/adm/syslog/xferlog)

the telnet automaticaaly gets recorded in the /var/adm/wtmp file, you access this by doing the who, or last command
Reply
James R. Ferguson
Acclaimed Contributor

‎01-11-2002 12:16 PM

‎01-11-2002 12:16 PM

Re: How to Hide Syslog file

Hi Laurie:

First, the normal permissions of '/var/adm/syslog/syslog.log' are 644 with owhership by root. This should prohibit the non-root user from writing to the file.

To enhance the logging done by the 'ftpd' daemon, add the '-l' and '-L', '-i' and/or '-o' options to the daemon initiation arguments in '/etc/inetd.conf' and restart the inetd daemon:

# /usr/sbin/inetd -c

See the man pages for 'ftpd' for 11.x for more information. On 10.x the '-l' and '-v' options apply.

Regards!

...JRF...
0 Kudos
Reply
Jeff Machols
Esteemed Contributor

‎01-11-2002 12:17 PM

‎01-11-2002 12:17 PM

Re: How to Hide Syslog file

if you don't have another system to use a syslog server, you can create a daemon doeas something like

tail -f syslog.log > /root/log.

If somebody gets in as root they can still see the syslog.conf file, so if you go to a different server, make sure thr root password is different and there are no .rhosts or they can get over there and wipe it out
0 Kudos
Reply
Helen French
Honored Contributor

‎01-11-2002 12:17 PM

‎01-11-2002 12:17 PM

Re: How to Hide Syslog file

Hi,

Check this out:

http://us-support.external.hp.com/cki/bin/doc.pl/sid=ade5f0e20142f3d856/screen=ckiDisplayDocument?docId=200000056855569

HTH,
Shiju
Life is a promise, fulfill it!
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎01-11-2002 12:29 PM

‎01-11-2002 12:29 PM

Re: How to Hide Syslog file

Hi (again) Laurie:

I should also have noted for you that the permissions on the directory in which /var/adm/syslog/syslog.log resides (namely /var/adm/syslog) are normally 555 (r-x) which disallow the *removal* of the syslog.log by a non-root user. Hence if users can't write to the file and they can't remove the file, I don't see the worry.

Regards!

...JRF...
0 Kudos
Reply
Deshpande Prashant
Honored Contributor

‎01-11-2002 12:45 PM

‎01-11-2002 12:45 PM

Re: How to Hide Syslog file

HI

For second part of your question, the ftpd daemon can be started with differnet options (-l, -L) from /etc/inetd.conf file.

Thanks.
Prashant.
Take it as it comes.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.