Logging su attempts and failed logins

As a conscientious Solaris administrator, I make every attempt possible to protect my servers from malicious users. This includes disabling all unneeded services, enabling strong password policies, configuring system auditing, enabling strong network defaults, applying system patches and configuring system logging. When I configure system logging, I like to configure the syslogd daemon to log everything to a centralized location. This is typically accomplished by adding an entry similar to the following to /etc/syslog.conf:

*.debug @logserver.prefetch.net

Additionally, I like to log each time a user logs into my systems, as well as all attempts to su to another user. To log all su attempts, the file /var/adm/sulog can be created (in recent releases of Solaris, this file is created by default):

$ touch /var/adm/sulog

To log all successful and unsuccessful logins, you will first need to set the variable SYSLOG_FAILED_LOGINS in /etc/default/login to the value 0. Once the variable is adjusted, you will need to create a log file to store the login attempts:

$ touch /var/adm/loginlog

After the log file is created, the auth priority needs to be added to /etc/syslog.conf:

auth.debug /var/adm/loginlog

With the loginlog and sulog files in place, it is relativley easy to see who accessed a given system at time X, and who tried to become the super user.

This article was posted by Matty on 2007-07-22 12:54:00 -0400 EDT