Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
21222324252627282930
Solaris 9 Security CX-310-301 25
¾ Hardware error messages
¾ Failed su attempts
¾ User login failures
¾ System software and application error conditions
¾ Notification of root logins
Note that successful su attempts, when a user enters the correct password, are NOT recorded in this file.
SU logging
When a user uses the su command to become (substitute user), it is logged by default to the file
/var/adm/sulog. The behavior of this logging activity is controlled by the file /etc/default/su. The syslog
facility (described next) can also log su attempts via the AUTH facility, both successful and unsuccessful.
A sample /var/adm/sulog appears below:
# cat /var/adm/sulog
SU 04/12 22:43 + pts/5 john-root
SU 04/12 22:46 + pts/5 john-testuser
SU 04/12 22:47 - pts/5 john-testuser
SU 04/12 22:48 - pts/5 john-root
SU 04/12 22:53 - pts/5 john-testuser
Note that a “+” in column 4 indicates a successful su and a “-“ an unsuccessful attempt. It can be useful in
situations where this file contains many entries, to search specifically for this minus sign to identify quickly
any failed attempts.
Syslog
System logging is managed by the syslog facility. The daemon that runs is /usr/sbin/syslogd and it is started
by the startup script /etc/rc2.d/S74syslog, a link to /etc/init.d/syslog.
Messages are categorized by a facility and, within each facility, a priority. The facilities are:
¾ kern – Messages concerning the kernel
¾ user – Messages concerning user processes
¾ mark – Messages concerning timestamp information
¾ auth – Messages concerning authorization (login, su for example)