log root logins? - Aix

This is a discussion on log root logins? - Aix ; Fellow AIX'ers; Normally to display user logins one would use the "last" command which feed on the /var/adm/wtmp file. On our AIX 5.3 system today last stated that the file "wtmp" could not be found. Upon examination it was determined ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: log root logins?

  1. log root logins?

    Fellow AIX'ers;

    Normally to display user logins one would use the "last" command which feed
    on the /var/adm/wtmp file. On our AIX 5.3 system today last stated that
    the file "wtmp" could not be found.

    Upon examination it was determined that one of our admins deleted it and
    without its presence login logging was disabled. I have since created
    "wtmp" and logins are once again being logged.

    So, my questions... is there any other resource where one can obtain
    information on system root logins other than the adm mechanism?

    Please advise?

    Thanks,

    Bob M


  2. Re: log root logins?

    On Oct 24, 1:01 pm, bobmct wrote:
    > Fellow AIX'ers;
    >
    > Normally to display user logins one would use the "last" command which feed
    > on the /var/adm/wtmp file. On our AIX 5.3 system today last stated that
    > the file "wtmp" could not be found.
    >
    > Upon examination it was determined that one of our admins deleted it and
    > without its presence login logging was disabled. I have since created
    > "wtmp" and logins are once again being logged.
    >
    > So, my questions... is there any other resource where one can obtain
    > information on system root logins other than the adm mechanism?
    >
    > Please advise?
    >
    > Thanks,
    >
    > Bob M


    Depending on how your syslog.conf file is set up, you might also see
    su to root and other root info.

    I'm set up for *.debug and get the following in my log file:

    Oct 24 10:13:10 server1 auth|security:notice su: from wdd to root at /
    dev/pts/4

    Hopefully root can't log in directly, so you will see the su's



  3. Re: log root logins?

    On Oct 24, 12:01 pm, bobmct wrote:
    > Fellow AIX'ers;
    >
    > Normally to display user logins one would use the "last" command which feed
    > on the /var/adm/wtmp file. On our AIX 5.3 system today last stated that
    > the file "wtmp" could not be found.
    >
    > Upon examination it was determined that one of our admins deleted it and
    > without its presence login logging was disabled. I have since created
    > "wtmp" and logins are once again being logged.
    >
    > So, my questions... is there any other resource where one can obtain
    > information on system root logins other than the adm mechanism?
    >
    > Please advise?
    >
    > Thanks,
    >
    > Bob M


    Have you investigated the audit facility? It can log a lot of low
    level OS activities.

    Miles


  4. Re: log root logins?

    On Oct 25, 6:01 am, bobmct wrote:
    > Fellow AIX'ers;
    >
    > Normally to display user logins one would use the "last" command which feed
    > on the /var/adm/wtmp file. On our AIX 5.3 system today last stated that
    > the file "wtmp" could not be found.
    >
    > Upon examination it was determined that one of our admins deleted it and
    > without its presence login logging was disabled. I have since created
    > "wtmp" and logins are once again being logged.
    >
    > So, my questions... is there any other resource where one can obtain
    > information on system root logins other than the adm mechanism?
    >
    > Please advise?
    >
    > Thanks,
    >
    > Bob M


    snoop around in /etc/security


  5. Re: log root logins?


    "bobmct" wrote in message
    news:13huujmnu5u1f09@corp.supernews.com...
    > Fellow AIX'ers;
    >
    > Normally to display user logins one would use the "last" command which
    > feed
    > on the /var/adm/wtmp file. On our AIX 5.3 system today last stated that
    > the file "wtmp" could not be found.
    >
    > Upon examination it was determined that one of our admins deleted it and
    > without its presence login logging was disabled. I have since created
    > "wtmp" and logins are once again being logged.
    >
    > So, my questions... is there any other resource where one can obtain
    > information on system root logins other than the adm mechanism?
    >
    > Please advise?
    >
    > Thanks,
    >
    > Bob M
    >


    http://www.thomasnet.com/products/ru...9311006-1.html



  6. Re: log root logins?

    Some thoughts on this ..

    Dont allow direct root logins, then you will also have the su log ..
    make sure you ship it offsite regularily as when you have root access,
    you can then delete it etc..

    audit is a pain in the ass (and it crashes systems .. even now on aix
    5.3), and again, once you have root login you can stop it and remove
    the stream etc, so you need to ship that offsite too .. same for
    syslog .. syslog will allow you to log to another system which is very
    handy .. or just use plain old sudo for root stuff and dont let anyone
    have root access.

    HTH
    Mark Taylor


+ Reply to Thread