Logging su attempts and failed logins

As a conscientious Solaris administrator, I make every attempt possible to protect my servers from malicious users. This includes disabling all unneeded services, enabling strong password policies, configuring system auditing, enabling strong network defaults, applying system patches and configuring system logging. When I configure system logging, I like to configure the syslogd daemon to log everything to a centralized location. This is typically accomplished by adding an entry similar to the following to /etc/syslog.conf:

*.debug @logserver.prefetch.net

Additionally, I like to log each time a user logs into my systems, as well as all attempts to su to another user. To log all su attempts, the file /var/adm/sulog can be created (in recent releases of Solaris, this file is created by default):

$ touch /var/adm/sulog

To log all successful and unsuccessful logins, you will first need to set the variable SYSLOG_FAILED_LOGINS in /etc/default/login to the value 0. Once the variable is adjusted, you will need to create a log file to store the login attempts:

$ touch /var/adm/loginlog

After the log file is created, the auth priority needs to be added to /etc/syslog.conf:

auth.debug /var/adm/loginlog

With the loginlog and sulog files in place, it is relativley easy to see who accessed a given system at time X, and who tried to become the super user.

2 Comments

Ayotunde Itayemi  on July 30th, 2007

Hi, auditing has been giving me a huge headache. I have to dev-null the audit file 2 or more times per day on some of the more “active” system e.g., webservers. I am using some simple config I found on the net that basically audits everything. Can I get a more restrictive config from you? Also what do you do with the audit files which i assume you probably also send to a central locations i.e., what’s your policy on keeping them (or processing them)? Concerning Solaris 10, is there a guide out there on using Xen to host a Solaris 9 VM on Solaris10? Can I configure virtual HBAs with configuravle WWNs that will be seen by a SAN infrastructure (as opposed to the HBA of the host server itself?)
Nice site, stumbled on it by chance but I will be sure to visit again!.

srinivas  on September 19th, 2007

Hi

Eccellent helped in resolving my issue of logging syslog to remotehost

Leave a Comment