HP-UX and rexecd logging
The paper reflects our experiences ensuring that users of a BAAN windows system do not abuse the rexec privileges required on the server.
Most HP-UX system application that authenticate users will log authentication attempts (successful or otherwise), however rexecd is an exception. Most people can disable rexecd by commenting out the entry in /etc/inetd.conf thus;
# exec stream tcp nowait root /usr/lbin/rexecd rexecd
You must of course restart inetd (Send it a KILL -HUP), and kill any running rexecd.
However if you have to use rexecd, such as when running BAAN Windows, it is possible to log usage.
First enable inetd logging, by adding '-l' to the start up file. The command 'inetd -l' will enable logging for a running inetd process, so no need to stop inetd when making these changes.
Second get hold of logdaemon from Wietse site at porcupine.org
Logdaemon contains many useful utilities, however some people have had problems compiling them with the HP authentication libraries. Fortunately rexecd is an exception. When unzipped, and untarred edit the first line of the makefile in the rexecd directory to include command logging. You will have to add an entry for HP-UX to the makefile as all the existing ones assume you will use the one time key security system mechanism, but HP-UX doesn't need any special flags, so copy the HP-UX entry with S/Key and delete the S/Key references.
The rexecd executable can be built using the HP bundled C compiler. Although it is built as a dynamic linking, and a libutil.a library is also built, this library is not needed if not using the S/Key features. The new rexecd can replace the old HP rexecd (do keep the old one, and backup the new one in case you replace it with a later patch).
On busy systems you will now need to ensure the running rexecd is killed (kill -TERM).
From now on all rexecd commands are written to /var/adm/syslog/syslog, plus failed authentication attempts. Also Wietse rexecd prevent root using rexec, which is desirable to avoid people with the root password bypassing defences like /etc/securetty, or using rexec to try and guess the root password.
See also 'man ftpd' for logging ftp commands, and 'man ftpusers' to prevent root password users making changes by passing /etc/securetty. As well as 'man sh-posix' for information on restricted shells.
This article was written by Simon Waters when he was working for Eighth Layer Limited.