HPE Community
Operating System - HP-UX
1833780 Members
2817 Online
110063 Solutions
New Discussion

Password shows up in syslog.log

 
Barry Feinberg
Occasional Advisor

‎08-20-2002 06:55 AM

‎08-20-2002 06:55 AM

Password shows up in syslog.log

We had a user enter "su " by Accidentally not hitting enter after su the root password came up in syslog.log and sulog. We tried the same thing on another 11.0 os server which is patched more upto date and we did not get the password in suslog.log or sulog. What patch do I need to resolve this security issue?
0 Kudos
Reply
8 REPLIES 8
Chris Wilshaw
Honored Contributor

‎08-20-2002 07:05 AM

‎08-20-2002 07:05 AM

Re: Password shows up in syslog.log

As far as unix is concerned, your password on that command line was the ID that you wanted to su to, so it should get reported to sulog (and/or syslog, depending on how you have logging set up). Patch level should have no bearing on this, as unix has no way to tell that you've entered your password in the ID field.

You can disable all su messages to syslog.log and sulog by setting the following lines in /etc/syslog.conf, then restarting syslogd

auth.none /var/adm/syslog/syslog.log
auth.none /var/adm/sulog

However, this would prevent you from seeing messages in there that you wanted to see.
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎08-20-2002 07:06 AM

‎08-20-2002 07:06 AM

Re: Password shows up in syslog.log



That's not a security issue, that's a user issue!

It would be no different than if I just typed in my passwd and it showed up in my history file:

passwd oldpasswd

Personal;ly, I'd take away the ability of the user to use "su", but that's because I'm cruel :-) I don't like users to have shell access.


Of course if you don't have this activity logged, then you don't know who is attempting to breack into your system.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Uday_S_Ankolekar
Honored Contributor

‎08-20-2002 07:17 AM

‎08-20-2002 07:17 AM

Re: Password shows up in syslog.log

I'm sure you are typing command in wrong way while you run su command

you should try like this,

type in su and then press enter, system will prompt you for password.

if you type su followed by password without pressing enter system assumes your typed password as a user id and then logs in syslog file.

-USA..
Good Luck..
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎08-20-2002 07:19 AM

‎08-20-2002 07:19 AM

Re: Password shows up in syslog.log

Chris is correct, take a look also at this doc (tells you how to disable "su" logging to syslog.log). DocID=KBRC00009295
http://support2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000062760077
Another good example of this kind of scenario is, someone logs in (without paying attention) thinking the Login prompt is the password prompt.. and oops ... well guess what ...
# strings /etc/btmp
0 Kudos
Reply
John Bolene
Honored Contributor

‎08-20-2002 07:38 AM

‎08-20-2002 07:38 AM

Re: Password shows up in syslog.log

Yup, user issue, entering the wrong data in the id field.

UNIX does not know it was a password, it wanted a user id.
It is always a good day when you are launching rockets! http://tripolioklahoma.org, Mostly Missiles http://mostlymissiles.com
0 Kudos
Reply
Martin Johnson
Honored Contributor

‎08-20-2002 07:42 AM

‎08-20-2002 07:42 AM

Re: Password shows up in syslog.log

You could write a wrapper for su which validates the username typed in with the users in /etc/passwd. You can have it reprompt until is gets a valid username before passing it on to su.

HTH
Marty
0 Kudos
Reply
Darren Prior
Honored Contributor

‎08-20-2002 08:04 AM

‎08-20-2002 08:04 AM

Re: Password shows up in syslog.log

Hi Barry,

Further to the other answers to your query, it may have been logged in places other than syslog. I think there's a possibility that it would be visible if someone had run a ps -ef at that time.

You should change the root password now, and perhaps have some moderately harsh words with the user!

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Roger Baptiste
Honored Contributor

‎08-20-2002 08:09 AM

‎08-20-2002 08:09 AM

Re: Password shows up in syslog.log

hi,

it's a user problem. Unfortunately there is no patch to protect against fat finger or negligent mistakes ;-)

DIsabling SU logs in syslog is not a good idea. It's useful to know who was using SU command and the history, in case of any breakins or security related issues.

HTH
raj
Take it easy.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.