| View previous topic :: View next topic |
| Author |
Message |
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
 Posted: Sat Oct 04, 2008 9:16 am Post subject: [TEMPORARY SOLVED] Logwatch & SU- Problem |
 |
|
Hello,
I have a problem that I don't know, seems to be specific to gentoo distro only. It's about LogWatch... the problem is that, when I receive the everyday logs in my mail account, at the section of "Authentications", it says: Session Opened: root -> root: . This is wrong, I want to see the user that is su`ing. At Authentication Failures, it says correctly: admin(1001) -> root: 7 Time(s) .... that's ok, but the Opened Session has a problem. Please Advice.
| Code: |
su:
Authentication Failures:
admin(1001) -> root: 7 Time(s) //here is correct !
zeppy(1005) -> root: 1 Time(s) // same here
Sessions Opened:
root -> root: 5 Time(s) // Here is wrong ! it should say "admin" or "zeppy" -> root
sudo:
Sessions Opened:
root -> root: 5 Time(s) // here wrong too !
Unknown Entries:
auth could not identify password for [zeppy]: 2 Time(s)
conversation failed: 2 Time(s)
|
I've also checked the logs. They're ok:
| Code: |
Oct 3 12:21:11 infosky su[21667]: Successful su for root by admin
Oct 3 12:21:11 infosky su[21667]: + pts/0 admin:root
Oct 3 12:21:11 infosky su[21667]: pam_unix(su:session): session opened for user root by admin(uid=1001)
|
Last edited by Anquietas on Wed Oct 29, 2008 11:08 pm; edited 1 time in total |
|
| Back to top |
|
 |
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
| Posted: Sun Oct 05, 2008 6:59 pm Post subject: |
|
|
| well, anyone ? a suggestion... if you do not know, please write here "Unknown" so I don't follow this topic any longer. |
|
| Back to top |
|
|
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
| Posted: Mon Oct 13, 2008 12:31 pm Post subject: |
|
|
| well, if no one has bothered to investigate this problem, please feel free to lock this topic, as nobody cares... |
|
| Back to top |
|
|
desultory
Bodhisattva
Joined: 04 Nov 2005
Posts: 9410
|
| Posted: Tue Oct 14, 2008 7:20 am Post subject: |
|
|
I have been worse.
| Anquietas wrote: | | if no one has bothered to investigate this problem, |
Including you?
| Anquietas wrote: | | please feel free to lock this topic, |
That feeling comes with the ability.
| Anquietas wrote: | | as nobody cares... |
Including you?
Having taken a few minutes to check the source and review the appropriate documentation, a few minutes in total including writing this post, it seems getpwuid() is getting confused for some reason. |
|
| Back to top |
|
|
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
| Posted: Tue Oct 14, 2008 7:45 am Post subject: |
|
|
I understand that, and excuse me if I was to cocky, but my other admins are confused and my boss does not like it all, everyday he stresses me... and I'm not a Developer... I only know very basic C programming, that's why I asked for YOUR help, the help of the real developers, I supose you know 100 times more gentoo developing than I do...
Can you fix that problem ?... |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5947
|
| Posted: Tue Oct 14, 2008 10:09 am Post subject: |
|
|
don't you get a section like this in your logwatch?
| Quote: | --------------------- Connections (secure-log) Begin ------------------------
Users performing Su Changes:
chris:
root 7 time(s)
|
usually comes a little after the su/sshd log.
cheers
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
| Posted: Tue Oct 14, 2008 11:41 am Post subject: |
|
|
nope.
| Code: |
--------------------- pam_unix Begin ------------------------
sshd:
Sessions Opened:
tig3r_3d: 5 Time(s)
admin: 4 Time(s)
su:
Sessions Opened:
root -> root: 4 Time(s) // here is the problem.. who sued ? admin, or tig3r ?...
---------------------- pam_unix End -------------------------
--------------------- SSHD Begin ------------------------
Didn't receive an ident from these IPs:
212.15.114.102: 1 Time(s)
61.185.123.141: 1 Time(s)
Users logging in through sshd:
admin:
192.168.0.2 (Mainframe): 2 times
192.168.0.3 (Terminal): 2 times
tig3r_3d:
193.226.19.115 (labgate.science.upm.ro): 3 times
193.226.20.81 (gw1.upm.ro): 2 times
SFTP subsystem requests: 4 Time(s)
---------------------- SSHD End -------------------------
|
|
|
| Back to top |
|
|
desultory
Bodhisattva
Joined: 04 Nov 2005
Posts: 9410
|
| Posted: Fri Oct 17, 2008 6:58 am Post subject: |
|
|
| To help avoid chasing the wrong problem, what version are you using? |
|
| Back to top |
|
|
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
| Posted: Fri Oct 17, 2008 7:28 am Post subject: |
|
|
| sys-apps/logwatch-7.3.2 |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5947
|
| Posted: Fri Oct 17, 2008 12:30 pm Post subject: |
|
|
oddly enough, so am i. 
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
| Posted: Fri Oct 17, 2008 1:39 pm Post subject: |
|
|
| yea, ... well, I hope somebody resolves this... a developer or someone with programming skills, I supose it's something in the source code that gets missread.... or Syslog-ng does not log correctly, but I doubt it... |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5947
|
| Posted: Fri Oct 17, 2008 2:28 pm Post subject: |
|
|
syslog-ng? i'm using sysklogd. i wonder if that could have any difference.
_________________
| Neddyseagoon wrote: | | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
| Back to top |
|
|
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
| Posted: Fri Oct 17, 2008 6:00 pm Post subject: |
|
|
| hell knows.... do you have that problem ? or everything is working perfectly to you ? (I mean the logwatch su system) |
|
| Back to top |
|
|
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
| Posted: Mon Oct 27, 2008 8:19 am Post subject: Logwatch SU Problem, again ! |
|
|
I ask you again... what is the the damn problem with Logwatch & su ?
Has nobody with more experience in C tried to solve this ?... or someone, please, it's very important !
I've started 2 topics on this problem, not a single solution...
I nicely ask a developer to "emerge logwatch", and do a couple of testings on this problem, there must be something wrong here for god's sake...
| Code: |
sshd:
Sessions Opened:
tig3r_3d: 2 Time(s)
admin: 1 Time(s)
su:
Sessions Opened:
root -> root: 5 Time(s)
|
Who the hell has Sued ?! admin or tig3r_3d ?...
Will someone please solve this problem, I'm going nuts already !
I tried explaining nicely, I tried nicely to present my problem,... but it goes like this for over a month now... My Server is in production, I must know the users that are su-ing.
If it is a bug, then please Mask this Package and recommend another... |
|
| Back to top |
|
|
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
| Posted: Mon Oct 27, 2008 8:28 am Post subject: |
|
|
| well, anyone, a solution, something ?!?!?!? |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Mon Oct 27, 2008 8:38 am Post subject: |
|
|
Do you expect Linux to give you the name of the person behind the userid that ran su? It looks like only root has used su to... be root  ! I don't know your case exactly but this is what to guess from the log. Isn't that what happened?
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
|
Stupendoussteve
n00b
Joined: 06 Sep 2005
Posts: 72
Location: US West
|
| Posted: Mon Oct 27, 2008 8:43 am Post subject: |
|
|
Does someone have local access to the machine?
Otherwise they would have had to log in through ssh as root anyway. However, there are 5 su's and only 3 ssh logins, which also looks like there is someone coming on locally as root and running su. |
|
| Back to top |
|
|
Stupendoussteve
n00b
Joined: 06 Sep 2005
Posts: 72
Location: US West
|
|
| Back to top |
|
|
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
| Posted: Mon Oct 27, 2008 10:47 am Post subject: |
|
|
no, that's not the case.
Root cannot login directly on SSH, only local users are able to log in, and some of them are granted Whell Group access, to be able to su-
Probabily one user from there sued more than 1 time, that's why 5 are sues and only 3 ssh logins.
And Yes, I expect Logwatch to tell me which user(uid) has sued. |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Mon Oct 27, 2008 1:43 pm Post subject: |
|
|
How can you tell nobody can log on/has logged on interactively from the console?
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
|
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
| Posted: Mon Oct 27, 2008 2:37 pm Post subject: |
|
|
I don't understand your question... please reformulate... 
If you are reffering to who is logging in, the box is a production Server, and only SSH logins are allowed, TTY logins are very rare...
And the RootLogin Option in SSHd is Disabled.
Only the Linux Users can log in, and some of them are in the Wheel Group for SU-ing |
|
| Back to top |
|
|
VinzC
Watchman
Joined: 17 Apr 2004
Posts: 5098
Location: Dark side of the mood
|
| Posted: Mon Oct 27, 2008 7:06 pm Post subject: |
|
|
A su event:
| Code: | Oct 27 20:00:48 athena su[25387]: Successful su for root by myself
Oct 27 20:00:48 athena su[25387]: + pts/1 myself:root
Oct 27 20:00:48 athena su[25387]: pam_unix(su:session): session opened for user root by (uid=1000) |
Try this to be sure:
| Code: | | egrep 'su\[[[:digit:]]+\]' /var/log/messages |
Then you'll know who issued su.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
| Back to top |
|
|
timeBandit
Bodhisattva
Joined: 31 Dec 2004
Posts: 2719
Location: here, there or in transit
|
| Posted: Mon Oct 27, 2008 9:02 pm Post subject: |
|
|
Merged a half-dozen posts above, starting from here: | Anquietas wrote: | I ask you again... what is the the damn problem with Logwatch & su ?
...
If it is a bug, then please Mask this Package and recommend another... |
I can't say, but a probable answer based on what I've read above is, "logwatch is misconfigured." If not, bugs should be reported on Bugzilla, not here. In either case, a minor bug would not warrant masking an otherwise stable package.
| Quote: | | I've started 2 topics on this problem, not a single solution... |
One problem, one topic, N solutions, where N >= 0. Please stop cross-posting, you were warned once before. If you haven't done so, now would be a good time to review the forum Guidelines: | Guidelines wrote: | | 12. Cross posting - Please do not post the same question to multiple forums. Cross posting clutters up the forums and makes things like searching harder for other users. If you feel your question could fit in multiple forums, please pick the best one and post there. Please do not post about the same subject multiple times. One thread is sufficient. |
If a topic you feel is important is not garnering any responses, it's acceptable to bump the thread at most once every 24 hours.
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others. |
|
| Back to top |
|
|
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
| Posted: Mon Oct 27, 2008 10:24 pm Post subject: |
|
|
| ok, I'm sorry I didn't follow the rules. I will be more carefull, I promise. |
|
| Back to top |
|
|
Anquietas
Tux's lil' helper
Joined: 06 Jul 2008
Posts: 83
|
| Posted: Wed Oct 29, 2008 11:06 pm Post subject: |
|
|
Well, I found a way around the problem... I've got angry and I resolved it myself...
I modified the pam_unix file of Logwatch and it works:
Steps to follow:
1. Open:
| Code: |
/usr/share/logwatch/scripts/services/pam_unix
|
2. Modify these lines:
| Code: |
FROM THIS:
$byid =~ s/\(uid=(\d+)\)/$1/;
my $onam = getpwuid($byid) or $byid;
$data{$service}{'Sessions Opened'}{"$onam -> $nam"}++;
TO THIS:
$byid =~ s/\(uid=(\d+)\)/($1)/;
my $onam = getpwuid($byid) or $byid;
$data{$service}{'Sessions Opened'}{"$byid -> $nam"}++;
|
3. Test it:
| Code: |
Log in and Su- once with wrong password and once with the correct password, and then run the Logwatch Perl Mail Generator Script (you can find it in /etc/cron.daily/00_logwatch* or something like this).
|
It's a temporary measure, I hope a new version will fix this for good...
But for now, I'm glad I found this solution, one more problem off of my head |
|
| Back to top |
|
|
|
Networking & Security
