Security question regarding root email
Dotan Cohen
dotancohen at gmail.com
Mon Jan 2 14:30:36 UTC 2006
On 1/2/06, Charles Howse <chowse at charter.net> wrote:
> > On 1/1/06, John Summerfied <debian at herakles.homelinux.org> wrote:
> >> Dotan Cohen wrote:
> >>> I haven't read root's email in about a month. Now that I get around to
> >>> it, I am suprised to see things that I have never seen before, such
> >>> as:
> >>> --------------------- pam_unix Begin ------------------------
> >>> kde-np:
> >>> Unknown Entries:
> >>> session opened for user dotancohen by (uid=0): 1 Time(s)
> >>> ---------------------- pam_unix End -------------------------
> >>>
> >>> --------------------- Smartd Begin ------------------------
> >>> **Unmatched Entries**
> >>> smartd received signal 15: Terminated
> >>> smartd is exiting (exit status 0)
> >>> ---------------------- Smartd End -------------------------
> >>>
> >>> --------------------- Selinux Audit Begin ------------------------
> >>> Number of audit daemon starts: 1
> >>> Number of audit daemon stops: 2
> >>> *** Logs which could mean a bug ***
> >>> major=252 name_count=0: freeing multiple contexts (1)
> >>> major=113 name_count=0: freeing multiple contexts (2)
> >>> ---------------------- Selinux Audit End -------------------------
> >>>
> >>> --------------------- SSHD Begin ------------------------
> >>> SSHD Killed: 1 Time(s)
> >>> SSHD Started: 1 Time(s)
> >> Normal restart stuff here and in some other places.
> >>
> >
> > Do you mean that this is logged when the computer restarts? Because I
> > have never restarted SSH.
>
> Yes, logged when computer restarts.
>
> >>> ---------------------- SSHD End -------------------------
> >>>
> >>> --------------------- httpd Begin ------------------------
> >>> Requests with error response codes
> >>> 404 Not Found
> >>> /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1
> >>> Time(s)
> >>> /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1
> >>> Time(s)
> >>> /favicon.ico: 32 Time(s)
> >>> /javascript/HM_Arrays.js: 1 Time(s)
> >>> /javascript/HM_ScriptDOM.js: 1 Time(s)
> >>> /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1
> >>> Time(s)
> >>> /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1
> >>> Time(s)
> >>> ---------------------- httpd End -------------------------
> >>>
> >>> --------------------- pam_unix Begin ------------------------
> >>> kde:
> >>> Unknown Entries:
> >>> session closed for user dotancohen: 3 Time(s)
> >>> session opened for user dotancohen by (uid=0): 3 Time(s)
> >> This looks like you logging in and out three times.
> >>
> >
> > Should that concern me if I don' think that I had EVER logged out and
> > then back in? This is a one-man box.
>
> If you've ever restarted the computer, then you've logged out.
>
> Let me suggest some further research for you:
> Find on your computer, and learn, everything about logging and LogWatch.
> This command:
> $ ls /usr/share/doc/logwatch*
> will show you what onboard documentation there is for logwatch. Read those
> files.
> $ man logwatch
> will also be helpful, but probably only the part where it shows you which
> files are used for configuration.
>
> /etc/syslog.conf is the file that controls what the computer logs and where.
> I would study that file.
> $ man syslog.conf
> is a pretty good place to start reading, also.
>
> Useful ways to see exactly what is going on:
> If I want to find out what is causing this:
> session closed for user dotancohen
> then I would make note of the time, then log out, log back in, and, as root:
> # tail /var/log/messages
> You should see something similar to this:
> Jan 2 05:01:01 shemp crond(pam_unix)[7970]: session closed for user root
> Jan 2 06:01:01 shemp crond(pam_unix)[8219]: session opened for user root by
> (uid=0)
> Of course, I got this from my system, so your output will be different, but
> the point is that you can compare the time you logged out to the time of the
> log entry, and see what a simple logout or restart will generate in the
> logfiles.
>
> Sorry to be so verbose, and also sorry to suggest reading so many boring man
> pages, but I think I've given you a good nudge in the right direction. :)
>
In other words, I should familiarize myself with the NORMAL log
entries, so that I can pick out the abnormal ones. That is good
advice- and that is what I will be doing more often. I only wish that
I had the time to invest in this that it deserves. In any case, I do
have the old logs to refer to, so that I can see that there are no log
entries that look different from those that were before.
Thank you very, very much. I will be reading TFM a good deal this evening.
Dotan Cohen
http://technology-sleuth.com/question/what_is_a_cellphone.html
-+
[]
More information about the fedora-list
mailing list