sendmail Logs

The sendmail program performs its logging with syslog. Messages generated by sendmail are labeled with the facility “mail” and the severity levels “debug” through “crit,” depending on the severity of the message generated. All messages generated by the program include the sendmail program name within the message text.

sendmail has a command-line option (-L), which specifies the lowest severity level that will cause it to log. Higher values of the -L option cause more information to be logged. An -L value of 0 means no logging will occur.

sendmail logs provide important clues to the administrator when intruders are attempting to exploit bugs from the SMTP port.

UUCP Logs

The UUCP utilities store information in various log files, depending on the version of UUCP being used. On BSD-based Unix platforms, a file called LOGFILE contains information regarding UUCP usage. This file is updated both by local UUCP activity and by actions initiated by remote sites. Information in this file consists of calls attempted or received, requests attempted, by whom, at what time, and from what host.

The UUCP log file syslog (not to be confused with the message-handling utility) contains information regarding file transfer statistics. The file shows the byte count of each UUCP transaction, the username and site requesting the file, the time and date of the transaction, and the time needed to complete the transfer.

The ERRLOG file contains any errors that occur during UUCP operation.

Today, most intruders don’t utilize UUCP in their activities, because many hosts either don’t use it, or don’t have it installed. If UUCP is in use, however, logs should be audited for suspicious activity, because files can be compromised from a remote site using UUCP.

LPD Logs

The lpd-errs file represents one of the most common logs dealing with printers. This file is usually designated as /var/adm/lpd-errs in the syslog.conf file. In most instances, the information this file has to offer is not of any use in tracking security incidents. Given the recent discovery of lpd-related bugs, however, any number of odd errors might turn up as a result of an intruder attempting to exploit a bug. Further, any entries that occur on systems that don’t even use the line printer daemon are certainly worth investigating.

The following is sample data from an lpd-errs file:

Feb 19 17:14:31 host1 lpd[208]: lp0: output filter died (26)
Feb 19 17:14:31 host1 lpd[208]: restarting lp0
Feb 19 17:17:08 host1 lpd[311]: lp0: output filter died (0)
Feb 19 17:17:08 host1 lpd[311]: restarting lp0
Feb 19 17:31:48 host1 lpd[524]: lp0: unknown mode -cs
Feb 19 17:33:12 host1 lpd[523]: exiting
Feb 19 17:33:24 host1 lpd[541]: lp0: unknown mode -cs8
Feb 19 17:34:02 host1 lpd[540]: exiting

ftp Logs

Most current versions of the ftp daemon, ftpd, can be set to log incoming connections. ftpd uses syslog to handle the messages it generates.

Logging is activated by executing ftpd with the -l option. The line that invokes ftpd in the inetd.conf file should read as follows:

ftp   stream  tcp  nowait  root   /etc/ftpd   ftpd -l

The syslog.conf should also be edited to add the following:

daemon.info          ftplogfile

HTTPD Logs

With the emergence of the World Wide Web as one of the dominating Internet services, almost every domain has set up a WWW server to advertise, inform, and entertain Internet users. HTTPD servers can log every Web access and also report errors generated during normal operation. Many administrators keep these logs to generate demographic usage reports—what hosts access the server most often, what pages are the most popular, and so on.

Two separate files are typically generated—one containing errors and the other containing the accesses. The filenames for these log files are set in the httpd.conf file.

History Logs

One of the most overlooked logs kept under Unix is the shell history log. This file keeps a record of recent commands entered by the user. Both the C shell and the Korn shell support the command history feature.

An environment variable determines the number of command lines retained. Under the C shell, the variable is $history; under the Korn shell, the variable is $HISTSIZE. The commands are stored in a file under the user’s home directory. Under the C shell, the file is called .history. Under the Korn shell, the file is called .sh_history by default but can be changed with the $HISTFILE environment variable.

The history command displays the contents of the history logs in chronological order, with preceding numbers. Using the history command with an -h option causes the contents to be displayed without the preceding numbers.

Many intruders forget to erase their shell histories upon initial access to a new system. Even after they edit other logs and replace utilities, every command they have entered remains clearly visible in the history file of the account with which they initially gained access.

Process Accounting

In the past, process accounting was an important part of computing resources. When users were billed solely on the actual amount of CPU time they used, computer centers could not have functioned properly without mechanisms in place that kept track of each command entered.

Today, many systems do not use process accounting; most Unix platforms disable it by default. When it is enabled, however, the process accounting logs often can help administrators locate any intruders that might have gained access to the system.

Enabling Process Accounting

Process accounting is turned on at startup by using the accton command in the following format: accton logfilename. The log file is usually

/var/adm/acct or /var/adm/pacct

---

Note:  Executing accton without a file-name parameter turns off process accounting.

---

Because process accounting immediately begins recording a great deal of information when enabled, the administrator must make sure that plenty of free disk space is available on the file system storing the process accounting log.

Many administrators review and purge their process accounting logs regularly because of the rapid speed with which the accounting file grows. Some even have cron jobs configured to handle rotating the process accounting files.