The consensus was that these lines do signify the good and bad attempts
to log in as root. There is a better way, however, of keeping track of
the successful/unsuccessful login attempts as root, and that is to look
at the /var/adm/sialog file (thanks to Martin Mokrejs for pointing this
out to me). If this file does not exist, use "touch /var/adm/sialog"
which creates it, and then this file will keep a more detailed log of
root log in attempts.
Thanks to all those who responded:
Raffaella Carla Raffaella.Carla_at_ing.unitn.it
Craig Farrington farro_at_webfront.net.au
Tolle, Josh josh.tolle_at_rhii.com
Steve Gwynn steve.gwynn_at_mci.com
john john_at_iastate.edu
Martin Mokrejs mmokrejs_at_mail.natur.cuni.cz
Gary Gladney GLADNEY_at_stsci.edu
Regards,
Stephen Spalding
Hi all!
I have a question about a file in the /var/adm/syslog.dated directory,
auth.log. In this file I find lines such as this:
Mar 12 15:18:13 MissouriEmployers su: SU root on /dev/ttyp5
Mar 12 14:55:09 MissouriEmployers su: SU sspaldin on /dev/ttyq7
Mar 12 14:48:51 MissouriEmployers su: SU sspaldin on /dev/ttyq7
Mar 12 14:48:44 MissouriEmployers su: BADSU sspaldin on /dev/ttyq7
Mar 12 14:48:40 MissouriEmployers su: BADSU sspaldin on /dev/ttyq7
To me, this looks like attempts to log in as root and whether or not the
attempts are successful (SU for successful and BADSU for unsuccessful). I
cannot find any documentation verifying this, so that's why I say that is
what it looks like to me. Can I get anyone to verify this for me, or if
this is truly not what I am looking at, then what is it?
The reason why I am asking this is because if these are attempts to log
in as root that I am seeing, I am going to write a script to notify me on
a daily basis of successful/unsuccessful login attempts as root.
Thanks!
Stephen Spalding
sspaldin_at_mem-ins.com
Missouri Employers Mutual Insurance
Received on Mon Mar 16 1998 - 14:30:02 NZST