We help IT Professionals succeed at work.

root login audit

sonriks
sonriks asked
on
Need this info for a script I’m writing to keep the auditors happy!

On HP all sshd records that show who logged into the server as root are found in:  /var/adm/syslog/syslog .log
Example record: Dec  6 13:20:41 sapprd01 sshd[7541]: Accepted keyboard-interactive/pam for root from 10.38.132.33 port 65361 ssh2

What logs record this activity on Solaris and Linux?
Comment
Watch Question

Most Valuable Expert 2013
Top Expert 2013

Commented:
Look at /etc/syslog.conf for the
auth...  entry (or *... if any).

Consult /etc/sshd_conf for the "syslog" directive if the above doesn't give you the clue.
In Linux it is /var/log/secure
Also check /var/log/audit/audit.log if SeLinux is turned on

Commented:
In Solaris syslog is in

/var/log/syslog

Also in Solaris, there is a sulog, which records who ever switch to root on the server:

/var/adm/sulog

Author

Commented:
Hi woolmilkporc .... Here's what sylog.conf looks like on the Solaris servers I need to work on. I'm not sure what changes I would need to make to in in order to direct sshd messages of the type

"Dec  6 13:20:41 sapprd01 sshd[7541]: Accepted keyboard-interactive/pam for root from 10.38.132.33 port 65361 ssh2

to syslog.log ..... It looks like it should be making a change to a line or two.

"#ident  "@(#)syslog.conf        1.5     98/12/14 SMI"   /* SunOS 5.0 */
#
# Copyright (c) 1991-1998 by Sun Microsystems, Inc.
# All rights reserved.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words.  Also, within ifdef's, arguments
# containing commas must be quoted.
#
*.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages

*.alert;kern.err;daemon.err                     operator
*.alert                                         root

*.emerg                                         *

# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
auth.notice                     /var/log/authlog
#auth.notice                    ifdef(`LOGHOST', /var/log/authlog, @loghost)

mail.debug                      ifdef(`LOGHOST', /var/log/syslog, @loghost)

#
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef(`LOGHOST', ,
user.err                                        /dev/sysmsg
user.err                                        /var/adm/messages
user.alert                                      `root, operator'
user.emerg                                      *
)
"syslog.conf" 36 lines, 1032 characters

Also, here is the only reference to syslog I was able to find in the /etc/ssh/sshd_config file.
# Syslog facility and level
SyslogFacility auth
LogLevel info

Do you think both file would need to updated?



Most Valuable Expert 2013
Top Expert 2013
Commented:
Settings in both files are OK.

sshd_config has the default "auth.info" activated,
and there is an entry in syslog.conf covering most of that facility.level combo:
 ("auth.notice                     /var/log/authlog")

Just look at /var/log/authlog. The required info should be there.
Most Valuable Expert 2013
Top Expert 2013

Commented:
If you want to see more messages than just those at the "notice" level and above, change in /etc/syslog.conf:

auth.notice                     /var/log/authlog

to

auth.info                        /var/log/authlog

and restart syslogd.

To see all possible sshd messages, change the syslog entry to

auth.debug                        /var/log/authlog

and in sshd_config

LogLevel info

to

LogLevel debug

Restart sshd and syslogd.

Please note that logging with a DEBUG level violates the privacy of users and is not recommended.



Author

Commented:
thanks for all the info. You once again have saved me many hours!

Author

Commented:
I spoke a little prematurely. It looks at though only the failed attempts are being written to /var/log/authlog.

Sep 15 15:11:41 baja10 sshd[27588]: [ID 800047 auth.notice] Failed keyboard-interactive for root from 10.32.11.117 port 1133 ssh2

I need all the root login attempts to be written to this file, both the Failed (above) and the good. what would I need to change and where so that all sshd remote logins are recorded?

Author

Commented:
Will changing things to DEBUG result in a lot of unnecessary messages? Or is it the only way to get what I need.
Most Valuable Expert 2013
Top Expert 2013

Commented:
Did you read my very last comment above?
Most Valuable Expert 2013
Top Expert 2013

Commented:
Try "info" first and check whether it's sufficient.

Author

Commented:
yes, I'm sorry .... read it again after sending the last message. Thanks for your patience! I know it looks like I'm not paying attention.