HPE Community
Operating System - HP-UX
1830309 Members
1995 Online
110000 Solutions
New Discussion

sulog and unknown users

 
hydrocct
Advisor

‎01-07-2004 07:29 AM

‎01-07-2004 07:29 AM

sulog and unknown users

Is there a simple way of preventing a failed su from being logged to /var/adm/sulog and syslog.log (system wide)?
My favorite is when one forgets the enter key when suing to root which gives su - password and end up with the root password in sulog and syslog.log. Solaris su does not log unknown users.
Guichet DPT
0 Kudos
Reply
7 REPLIES 7
Mic V.
Esteemed Contributor

‎01-07-2004 03:20 PM

‎01-07-2004 03:20 PM

Re: sulog and unknown users

Not as far as I know, but I'm not 100% on it. You may be able to just change the permissions so that only root can read the sulog file. Same goes for syslog.log.

Better yet, stop su'ing to root and use some kind of proxy, such as sudo or SAM. That prevents this issue and gives you more accountability/an auditing trail at the same time.

http://www.courtesan.com/cgi-bin/cvsweb/sudo/

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.7p5/

--Mic
What kind of a name is 'Wolverine'?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-07-2004 03:33 PM

‎01-07-2004 03:33 PM

Re: sulog and unknown users

Install sudo and make it really so only sysadmin has the root password.

Clear the btmp file once a week with a script or sam.

You can write a script and scan for root in the btmp file.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Tom Ward_1
Honored Contributor

‎01-07-2004 04:57 PM

‎01-07-2004 04:57 PM

Re: sulog and unknown users

You can modify /etc/syslog.conf to send auth related message to root only readable file.

Here's an example of one way:
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug /var/adm/syslog/mail.log
auth.info /var/adm/syslog/auth.log
*.info;mail.none;auth.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *

That would send auth related messages to /var/adm/syslog/auth.log. With the permissons on auth.log set to root only, no one but root can see those entries.

Perms on /var/adm/btmp and /var/adm/sulog should also be set root only readable.

*I still haven't come up with a way to keep root from seeing my own password in btmp when I slip up. :-(
0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

‎01-08-2004 02:28 AM

‎01-08-2004 02:28 AM

Re: sulog and unknown users

hydrocct,

I am curious why you would want to disable the sulog? This is the primary reason to have an sulog is to log unauth users' access to your host. Unless your last sentence is the reason, and again I am curious how that could happen with the root password.

__________________________
What did you mean by this statement?

"My favorite is when one forgets the enter key when suing to root which gives su - password and end up with the root password in sulog and syslog.log. Solaris su does not log unknown users. "

Are you saying the clear text password for root shows up in sulog and syslog.log?

Id like to know what platform/os this is on... and if you reported it to HP.
Unix, the other white meat.
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎01-08-2004 02:37 AM

‎01-08-2004 02:37 AM

Re: sulog and unknown users

Todd,

That makes sense. If you type in "su -" but forget to press the enter key before you type in the password, then it becomes "su - ", which will fail and be entered into the log. I'm not sure how one manages to forget hitting the enter key, but as described, that's correct.


Pete

Pete
0 Kudos
Reply
hydrocct
Advisor

‎01-08-2004 02:43 AM

‎01-08-2004 02:43 AM

Re: sulog and unknown users

What I mean is that if I want to "su -" to change to root from any user and inadvertantly omit the enter key and immediately type the password (ex RootPW, I end up typing "su - RootPW" and YES, I do get the root password in clear text in both sulog and syslog.log as the following:
SU 01/07 15:09 - 0 root-RootPW
It won't take very much for one to try all the missed attempts to get the root password, unless the files are write protected, but that seems very weak protection. I'm running HP-UX 11.0 and I've seen this on several servers.
Guichet DPT
0 Kudos
Reply
Todd McDaniel_1
Honored Contributor

‎01-08-2004 03:39 AM

‎01-08-2004 03:39 AM

Re: sulog and unknown users

OMG!! I see what you mean!! yes that is a problem...I just tested it with jibberish after my su - asdf1234 and it showed in the sulog!!!

I would hope you wouldnt do that very often... Also, I wouldn't script that with the root password in a script to grep out of the sulog...I would be more inclined to grep YOUR ID and delete any entry with your user name.

Although sulog is read only for root 600 on my box... Anyone who would be able to read it would already have root access.

Unix, the other white meat.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.