Im running red hat 7 and ive tried using some log cleaners to test to see if they work .They compiled fine and I adjusted the paths in the scripts to point to the appropriate files (/var/log/wtmp & /var/log/lastlog) but when for example zap2 ran it said zap but when I checked the wtmp file the logs of my username were still there.
Anyone come across this situation, have red hat beaten these cleaners or are these cleaners only valid for some forms of *nix.
Im fairly sure I used it right!!!
The idea behind, "log cleaners", I think, is ridisulous. This is a UNXI machine, run under permissions. If someone ahs the ability to edit logs for hte sake of removing thier presence, just delete them. Yes, this will cause the sys admin to wonder what happend, but, who cares? If you're there doing something you shouldn't be, you wouldn't have to "clean the logs". Well, back to my original point..
This wouldn't be a "RedHat" specific thing. GNU creates programs that log in utmp, and wtmp, which is read by the progrma "lastlog". Lastlog not being a log itself, only a program to read them.
Anyway.. There are more things to worry about than those, try looking for /usr/adm/log, or /var/log/.. You'll find some interesting things to expose yourself with.
Jason Parker - http://www.o-negative.net
o-Negative: Information Network
Of course you can alway delete the log file, then recreate it as a symbolic link to /dev/null. of course the admin will wonder why the log is always empty, and a simple ls -l will tell you its symbolic link. And if they are set for logrotation, then cron should come along, sweep it up, and make a new log file (right?).
Yep.. which will still trigger a response because the admin will be like, "Where the hell is my log for yesterday?". The best thing to do would be to trojan /bin/login with a hacked version of it so that you can login with a certain username that isn't tracked. If you hack /bin/login's source, then you can even make it so none of your processes show up. You were never there, but, yet again, you were. Very interesting concept..
Jason Parker - http://www.o-negative.net
o-Negative: Information Network
if the administrator uses logrotation AND tjek hi´s logfiles, he would proberly check (or used automated software) the size and crc of the most (or all) of the importent system programs.
Whilst on the topic of cleaning logs etc....has anyone else noticed that clicking the clear disk/memory cache butons in Netscape has no affect at all? Im using Red Hat 7.0
Most properly configured and secured systems will log locally to the usual files and also log through syslog to another secured log system. Thus, even if you clean up the local files, a complete copy will be available for the admin's use on his secured logging system.
cheers
I\'m not a BOT I\'m a beer droid!
Prepare to be Assimilated.
/bin/login trojan!
