Security question regarding root email

Dotan Cohen dotancohen at gmail.com
Mon Jan 2 14:30:36 UTC 2006 

On 1/2/06, Charles Howse <chowse at charter.net> wrote:
> > On 1/1/06, John Summerfied <debian at herakles.homelinux.org> wrote:
> >> Dotan Cohen wrote:
> >>> I haven't read root's email in about a month. Now that I get around to
> >>> it, I am suprised to see things that I have never seen before, such
> >>> as:
> >>>  --------------------- pam_unix Begin ------------------------
> >>>  kde-np:
> >>>     Unknown Entries:
> >>>        session opened for user dotancohen by (uid=0): 1 Time(s)
> >>>  ---------------------- pam_unix End -------------------------
> >>>
> >>>  --------------------- Smartd Begin ------------------------
> >>>  **Unmatched Entries**
> >>>  smartd received signal 15: Terminated
> >>>  smartd is exiting (exit status 0)
> >>>  ---------------------- Smartd End -------------------------
> >>>
> >>>  --------------------- Selinux Audit Begin ------------------------
> >>>   Number of audit daemon starts: 1
> >>>   Number of audit daemon stops: 2
> >>>  *** Logs which could mean a bug ***
> >>>     major=252 name_count=0: freeing multiple contexts (1)
> >>>     major=113 name_count=0: freeing multiple contexts (2)
> >>>  ---------------------- Selinux Audit End -------------------------
> >>>
> >>>  --------------------- SSHD Begin ------------------------
> >>>  SSHD Killed: 1 Time(s)
> >>>  SSHD Started: 1 Time(s)
> >> Normal restart stuff here and in some other places.
> >>
> >
> > Do you mean that this is logged when the computer restarts? Because I
> > have never restarted SSH.
>
> Yes, logged when computer restarts.
>
> >>>  ---------------------- SSHD End -------------------------
> >>>
> >>>  --------------------- httpd Begin ------------------------
> >>>  Requests with error response codes
> >>>     404 Not Found
> >>>        /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1
> >>> Time(s)
> >>>        /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1
> >>> Time(s)
> >>>        /favicon.ico: 32 Time(s)
> >>>        /javascript/HM_Arrays.js: 1 Time(s)
> >>>        /javascript/HM_ScriptDOM.js: 1 Time(s)
> >>>        /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1
> >>> Time(s)
> >>>        /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1
> >>> Time(s)
> >>>  ---------------------- httpd End -------------------------
> >>>
> >>>  --------------------- pam_unix Begin ------------------------
> >>>  kde:
> >>>     Unknown Entries:
> >>>        session closed for user dotancohen: 3 Time(s)
> >>>        session opened for user dotancohen by (uid=0): 3 Time(s)
> >> This looks like you logging in and out three times.
> >>
> >
> > Should that concern me if I don' think that I had EVER logged out and
> > then back in? This is a one-man box.
>
> If you've ever restarted the computer, then you've logged out.
>
> Let me suggest some further research for you:
> Find on your computer, and learn, everything about logging and LogWatch.
> This command:
> $ ls /usr/share/doc/logwatch*
> will show you what onboard documentation there is for logwatch.  Read those
> files.
> $ man logwatch
> will also be helpful, but probably only the part where it shows you which
> files are used for configuration.
>
> /etc/syslog.conf is the file that controls what the computer logs and where.
> I would study that file.
> $ man syslog.conf
> is a pretty good place to start reading, also.
>
> Useful ways to see exactly what is going on:
> If I want to find out what is causing this:
> session closed for user dotancohen
> then I would make note of the time, then log out, log back in, and, as root:
> # tail /var/log/messages
> You should see something similar to this:
> Jan  2 05:01:01 shemp crond(pam_unix)[7970]: session closed for user root
> Jan  2 06:01:01 shemp crond(pam_unix)[8219]: session opened for user root by
> (uid=0)
> Of course, I got this from my system, so your output will be different, but
> the point is that you can compare the time you logged out to the time of the
> log entry, and see what a simple logout or restart will generate in the
> logfiles.
>
> Sorry to be so verbose, and also sorry to suggest reading so many boring man
> pages, but I think I've given you a good nudge in the right direction. :)
>

In other words, I should familiarize myself with the NORMAL log
entries, so that I can pick out the abnormal ones. That is good
advice- and that is what I will be doing more often. I only wish that
I had the time to invest in this that it deserves. In any case, I do
have the old logs to refer to, so that I can see that there are no log
entries that look different from those that were before.

Thank you very, very much. I will be reading TFM a good deal this evening.

Dotan Cohen
http://technology-sleuth.com/question/what_is_a_cellphone.html
-+

[]

More information about the fedora-list mailing list