Trusted system

j773303 · ‎12-22-2004

As below message, enable the system call: execve and event:login, while I try to telnet it using guest, the audit log shows below.

My question is why the root displays in the User=root. and what's the meaning of "login, -h, pc02, -p"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
041223 13:27:45 22893 S 59 3785 00 0 00 ?????
[ Event=execve; User=root; Real Grp=root; Eff.Grp=root; ]

RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000003 (dev);
1714 (inode);
(path) = /etc/opt/resmon/lbin/registrar
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
041223 13:27:45 22894 S 59 3785 0 0 0 0 0 ?????
[ Event=execve; User=root; Real Grp=root; Eff.Grp=root; ]

RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000007 (dev);
28932 (inode);
(path) = /usr/lbin/telnetd
PARAM #2 (string array)
telnetd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
041223 13:27:45 22895 S 59 22894 0 0 0 0 0 pts/tw
[ Event=execve; User=root; Real Grp=root; Eff.Grp=root; ]

RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000007 (dev);
2522 (inode);
(path) = /usr/bin/login
PARAM #2 (string array)
login, -h, pc02, -p
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
041223 13:27:51 22895 S 9218 22894 0 0 0 0 0 pts/tw
[ Event=login; User=root; Real Grp=root; Eff.Grp=root; ]

SELF-AUDITING TEXT: User= guest uid=11113 audid=201 Login successfully
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
041223 13:27:51 22895 S 9218 22894 201 0 0 0 0 pts/tw
[ Event=login; User=guest; Real Grp=root; Eff.Grp=root; ]

SELF-AUDITING TEXT: User= guest uid=11113 audid=201 Successful login

Hero

Matthew_50 · ‎01-31-2005

Is your computer named pc02 or you login from pc02 to the server ?

SureshKumar_2 · ‎01-31-2005

Hi

pc02 : from where the attempt made for telnet.

you can also have a look in below url.
http://seclists.org/lists/bugtraq/1995/Nov/0003.html

suresh

Things are very easy, when u know about it...

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Trusted system

Trusted system

Re: Trusted system

Re: Trusted system