# [TEMPORARY SOLVED] Logwatch & SU- Problem

## Anquietas

Hello,

I have a problem that I don't know, seems to be specific to gentoo distro only. It's about LogWatch... the problem is that, when I receive the everyday logs in my mail account, at the section of "Authentications", it says: Session Opened: root -> root: . This is wrong, I want to see the user that is su`ing. At Authentication Failures, it says correctly: admin(1001) -> root: 7 Time(s) .... that's ok, but the Opened Session has a problem. Please Advice. 

```

 su:

    Authentication Failures:

       admin(1001) -> root: 7 Time(s)               //here is correct !

       zeppy(1005) -> root: 1 Time(s)               // same here

    Sessions Opened:

       root -> root: 5 Time(s)                           // Here is wrong ! it should say "admin" or "zeppy" -> root

 

 sudo:

    Sessions Opened:

       root -> root: 5 Time(s)                          // here wrong too !

    Unknown Entries:

       auth could not identify password for [zeppy]: 2 Time(s)

       conversation failed: 2 Time(s)

 
```

I've also checked the logs. They're ok:

```

Oct  3 12:21:11 infosky su[21667]: Successful su for root by admin

Oct  3 12:21:11 infosky su[21667]: + pts/0 admin:root

Oct  3 12:21:11 infosky su[21667]: pam_unix(su:session): session opened for user root by admin(uid=1001)

```

Last edited by Anquietas on Wed Oct 29, 2008 11:08 pm; edited 1 time in total

----------

## Anquietas

well, anyone ? a suggestion... if you do not know, please write here "Unknown" so I don't follow this topic any longer.

----------

## Anquietas

well, if no one has bothered to investigate this problem, please feel free to lock this topic, as nobody cares...

----------

## desultory

 *Anquietas wrote:*   

> well,

 I have been worse.

 *Anquietas wrote:*   

> if no one has bothered to investigate this problem,

 Including you?

 *Anquietas wrote:*   

> please feel free to lock this topic,

 That feeling comes with the ability.

 *Anquietas wrote:*   

> as nobody cares...

 Including you?

Having taken a few minutes to check the source and review the appropriate documentation, a few minutes in total including writing this post, it seems getpwuid() is getting confused for some reason.

----------

## Anquietas

I understand that, and excuse me if I was to cocky, but my other admins are confused and my boss does not like it all, everyday he stresses me... and I'm not a Developer... I only know very basic C programming, that's why I asked for YOUR help, the help of the real developers, I supose you know 100 times more gentoo developing than I do...

Can you fix that problem ?...

----------

## bunder

don't you get a section like this in your logwatch?

 *Quote:*   

> --------------------- Connections (secure-log) Begin ------------------------ 
> 
>  Users performing Su Changes:
> 
>      chris:
> ...

 

usually comes a little after the su/sshd log.

cheers

----------

## Anquietas

nope.

```

--------------------- pam_unix Begin ------------------------ 

 sshd:

    Sessions Opened:

       tig3r_3d: 5 Time(s)

       admin: 4 Time(s)

 

 su:

    Sessions Opened:

       root -> root: 4 Time(s)                 // here is the problem.. who sued ? admin, or tig3r ?...

 

 

 ---------------------- pam_unix End ------------------------- 

 

 --------------------- SSHD Begin ------------------------ 

 

 Didn't receive an ident from these IPs:

    212.15.114.102: 1 Time(s)

    61.185.123.141: 1 Time(s)

 

 Users logging in through sshd:

    admin:

       192.168.0.2 (Mainframe): 2 times

       192.168.0.3 (Terminal): 2 times

    tig3r_3d:

       193.226.19.115 (labgate.science.upm.ro): 3 times

       193.226.20.81 (gw1.upm.ro): 2 times

 

 SFTP subsystem requests: 4 Time(s)

 

 

 ---------------------- SSHD End ------------------------- 

```

----------

## desultory

To help avoid chasing the wrong problem, what version are you using?

----------

## Anquietas

sys-apps/logwatch-7.3.2

----------

## bunder

oddly enough, so am i.   :Confused: 

----------

## Anquietas

yea, ... well, I hope somebody resolves this... a developer or someone with programming skills, I supose it's something in the source code that gets missread.... or Syslog-ng does not log correctly, but I doubt it...

----------

## bunder

syslog-ng?  i'm using sysklogd.  i wonder if that could have any difference.

----------

## Anquietas

hell knows.... do you have that problem ? or everything is working perfectly to you ? (I mean the logwatch su system)

----------

## Anquietas

I ask you again... what is the the damn problem with Logwatch & su ?

Has nobody with more experience in C tried to solve this ?... or someone, please, it's very important !

I've started 2 topics on this problem, not a single solution...

I nicely ask a developer to "emerge logwatch", and do a couple of testings on this problem, there must be something wrong here for god's sake...

```

sshd:

    Sessions Opened:

       tig3r_3d: 2 Time(s)

       admin: 1 Time(s)

 

 su:

    Sessions Opened:

       root -> root: 5 Time(s)

```

Who the hell has Sued ?! admin or tig3r_3d ?...

Will someone please solve this problem, I'm going nuts already !

I tried explaining nicely, I tried nicely to present my problem,... but it goes like this for over a month now... My Server is in production, I must know the users that are su-ing.

If it is a bug, then please Mask this Package and recommend another...

----------

## Anquietas

well, anyone, a solution, something ?!?!?!?

----------

## VinzC

Do you expect Linux to give you the name of the person behind the userid that ran su? It looks like only root has used su to... be root  :Laughing:  ! I don't know your case exactly but this is what to guess from the log. Isn't that what happened?

----------

## Stupendoussteve

Does someone have local access to the machine?

Otherwise they would have had to log in through ssh as root anyway. However, there are 5 su's and only 3 ssh logins, which also looks like there is someone coming on locally as root and running su.

----------

## Stupendoussteve

Have you put in a bug report? It may get you some attention from those developers you speak of.

https://bugs.gentoo.org/buglist.cgi?quicksearch=logwatch

----------

## Anquietas

no, that's not the case.

Root cannot login directly on SSH, only local users are able to log in, and some of them are granted Whell Group access, to be able to su-

Probabily one user from there sued more than 1 time, that's why 5 are sues and only 3 ssh logins.

And Yes, I expect Logwatch to tell me which user(uid) has sued.

----------

## VinzC

How can you tell nobody can log on/has logged on interactively from the console?

----------

## Anquietas

I don't understand your question... please reformulate...  :Neutral: 

If you are reffering to who is logging in, the box is a production Server, and only SSH logins are allowed, TTY logins are very rare...

And the RootLogin Option in SSHd is Disabled.

Only the Linux Users can log in, and some of them are in the Wheel Group for SU-ing

----------

## VinzC

A su event:

```
Oct 27 20:00:48 athena su[25387]: Successful su for root by myself

Oct 27 20:00:48 athena su[25387]: + pts/1 myself:root

Oct 27 20:00:48 athena su[25387]: pam_unix(su:session): session opened for user root by (uid=1000)
```

Try this to be sure:

```
egrep 'su\[[[:digit:]]+\]' /var/log/messages
```

Then you'll know who issued su.

----------

## timeBandit

Merged a half-dozen posts above, starting from here: *Anquietas wrote:*   

> I ask you again... what is the the damn problem with Logwatch & su ?
> 
> ...
> 
> If it is a bug, then please Mask this Package and recommend another...

 I can't say, but a probable answer based on what I've read above is, "logwatch is misconfigured." If not, bugs should be reported on Bugzilla, not here. In either case, a minor bug would not warrant masking an otherwise stable package.

 *Quote:*   

> I've started 2 topics on this problem, not a single solution...

 One problem, one topic, N solutions, where N >= 0. Please stop cross-posting, you were warned once before. If you haven't done so, now would be a good time to review the forum Guidelines: *Guidelines wrote:*   

> 12. Cross posting - Please do not post the same question to multiple forums. Cross posting clutters up the forums and makes things like searching harder for other users. If you feel your question could fit in multiple forums, please pick the best one and post there. Please do not post about the same subject multiple times.  One thread is sufficient.

 If a topic you feel is important is not garnering any responses, it's acceptable to bump the thread at most once every 24 hours.

----------

## Anquietas

ok, I'm sorry I didn't follow the rules. I will be more carefull, I promise.

----------

## Anquietas

Well, I found a way around the problem... I've got angry and I resolved it myself...

I modified the pam_unix file of Logwatch and it works:

Steps to follow:

1. Open:

```

/usr/share/logwatch/scripts/services/pam_unix

```

2. Modify these lines:

```

FROM THIS:

         $byid =~ s/\(uid=(\d+)\)/$1/;

         my $onam = getpwuid($byid) or $byid;

         $data{$service}{'Sessions Opened'}{"$onam -> $nam"}++;

TO THIS:

         $byid =~ s/\(uid=(\d+)\)/($1)/;

         my $onam = getpwuid($byid) or $byid;

         $data{$service}{'Sessions Opened'}{"$byid -> $nam"}++;

```

3. Test it:

```

Log in and Su- once with wrong password and once with the correct password, and then run the Logwatch Perl Mail Generator Script (you can find it in /etc/cron.daily/00_logwatch* or something like this).

```

It's a temporary measure, I hope a new version will fix this for good...

But for now, I'm glad I found this solution, one more problem off of my head

----------

