HPE Community
Operating System - HP-UX
1827480 Members
2309 Online
109965 Solutions
New Discussion

How to log failed attempts to ROOT

 
Troy Nightingale
Occasional Advisor

‎12-28-2005 03:54 AM

‎12-28-2005 03:54 AM

How to log failed attempts to ROOT

I currently have ROOT disabled as a login account. It can only be reached via su. How can I be alerted on failed attempts to login to ROOT. I know the sulog has a somewhat cryptic log of all su activity, but I don't know how to be alerted on a failure.

Thanks for your help.
0 Kudos
Reply
6 REPLIES 6
Jeff_Traigle
Honored Contributor

‎12-28-2005 04:01 AM

‎12-28-2005 04:01 AM

Re: How to log failed attempts to ROOT

Could set up a cron job to check sulog periodically and report any failed attempts to su to root (indicated by - instead of +). This is pretty crude example, but should give you the general idea of what needs to be done.

#!/usr/bin/sh

grep "root$" /var/adm/sulog | grep " - " | mailx -s "Failed root su attempts" someone@somewhere.com
--
Jeff Traigle
0 Kudos
Reply
Rick Garland
Honored Contributor

‎12-28-2005 04:11 AM

‎12-28-2005 04:11 AM

Re: How to log failed attempts to ROOT

How are you preventing the login to root?

Is the 'lastb' command an option? This will list all failed logins but you can grep out the root entries.

0 Kudos
Reply
Jeff_Traigle
Honored Contributor

‎12-28-2005 04:22 AM

‎12-28-2005 04:22 AM

Re: How to log failed attempts to ROOT

Rick brings up a good point. If you want to be notified of *all* failed root login attempts, not just the su failures, lastb is a good way to go. Could just pipe the output of "lastb -R root" to an email or something. You'll still need to check sulog as above since su doesn't log to /var/adm/wtmp and /var/adm/btmp. but everything else other than sftp does. I still haven't figured out any other way to detect sftp accesses other than syslog.
--
Jeff Traigle
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎12-28-2005 07:11 PM

‎12-28-2005 07:11 PM

Re: How to log failed attempts to ROOT

Few ways,

1) you can check /var/adm/sulog with - entries to root user.

awk '{ if ( $4 == "+") { split($6,a,"-"); if ( a[2] == "root" ) { print; }}}' /var/adm/sulog

will give that.

2) You can check with lastb to get wrong login to root.

3) Just move /usr/bin/su binary to /usr/bin/suold and write a wrapper to log all failed details.

-Muthu
Easy to suggest when don't know about the problem!
0 Kudos
Reply
rmueller58
Valued Contributor

‎12-29-2005 04:40 AM

‎12-29-2005 04:40 AM

Re: How to log failed attempts to ROOT

Load Tripwire.. It will capture all failure attempts in a log..

Wouldn't be without it..

It detects telnet or SSH attempts
0 Kudos
Reply
Christine Hartman
Valued Contributor

‎12-29-2005 04:43 AM

‎12-29-2005 04:43 AM

Re: How to log failed attempts to ROOT

hi there....attached is a script that we use to give us email notifications on all "priveleged" accounts...hope this helps.
C-
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.