1834254 Members
1898 Online
110066 Solutions
New Discussion

Trusted system

 
SOLVED
Go to solution
j773303
Super Advisor

Trusted system

As below message, enable the system call: execve and event:login, while I try to telnet it using guest, the audit log shows below.

My question is why the root displays in the User=root. and what's the meaning of "login, -h, pc02, -p"



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
041223 13:27:45 22893 S 59 3785 00 0 00 ?????
[ Event=execve; User=root; Real Grp=root; Eff.Grp=root; ]

RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000003 (dev);
1714 (inode);
(path) = /etc/opt/resmon/lbin/registrar
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
041223 13:27:45 22894 S 59 3785 0 0 0 0 0 ?????
[ Event=execve; User=root; Real Grp=root; Eff.Grp=root; ]

RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000007 (dev);
28932 (inode);
(path) = /usr/lbin/telnetd
PARAM #2 (string array)
telnetd
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
041223 13:27:45 22895 S 59 22894 0 0 0 0 0 pts/tw
[ Event=execve; User=root; Real Grp=root; Eff.Grp=root; ]

RETURN_VALUE 1 = 0;
PARAM #1 (file path) = 0 (cnode);
0x40000007 (dev);
2522 (inode);
(path) = /usr/bin/login
PARAM #2 (string array)
login, -h, pc02, -p
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
041223 13:27:51 22895 S 9218 22894 0 0 0 0 0 pts/tw
[ Event=login; User=root; Real Grp=root; Eff.Grp=root; ]

SELF-AUDITING TEXT: User= guest uid=11113 audid=201 Login successfully
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
041223 13:27:51 22895 S 9218 22894 201 0 0 0 0 pts/tw
[ Event=login; User=guest; Real Grp=root; Eff.Grp=root; ]

SELF-AUDITING TEXT: User= guest uid=11113 audid=201 Successful login
Hero
2 REPLIES 2
Matthew_50
Valued Contributor

Re: Trusted system

Is your computer named pc02 or you login from pc02 to the server ?
SureshKumar_2
Valued Contributor
Solution

Re: Trusted system

Hi

pc02 : from where the attempt made for telnet.

you can also have a look in below url.
http://seclists.org/lists/bugtraq/1995/Nov/0003.html

suresh
Things are very easy, when u know about it...