Hiding certain logged commands

anon79457100 · September 21, 2020, 3:52pm

Hello,
I have a question as to how do I hide a certain command from being shown on the logs such as this one
Password auth succeeded for 'root' from XXX.XXX.X.XXX:XXXXX
or
accepted login on / for root from XXX.XXX.X.XXX
I have researched around and couldn't find anything to hide specific commands being logged.
Thanks!

psherman · September 21, 2020, 4:04pm

Is there any particular reason you wish to hide these log entries?

anon79457100 · September 22, 2020, 4:19pm

Just wondering so I can prevent this

psherman · September 22, 2020, 4:22pm

The logging of logins attempts is there for security purposes. It sounds a bit like you are trying to circumvent detection? Is this your intent?

pwned · September 22, 2020, 5:05pm

I don't use dropbear which is default on OpenWrt. But if you are root you could have a look into the init-script and append sth. like: -w -g to dropbear commandline. It might be its phrasing a configfile (you have to look out for it within init-script).

Beside that logging root activities has a reason. You want to know what is going on a system to detect intruders from outside and evil admins from inside.

krazeh · September 22, 2020, 5:14pm

Unless you're the person who isn't supposed to be logged in and don't want anyone else finding out..

pwned · September 22, 2020, 5:48pm

Sure, if you are the only root/admin it does not matter what you are doing on a system. You can do whatever you want and disable/enable any logging. Typical homeuser or admin in a 10-50 staff company.
If you are in a "bigger" company you have usually several admins. They will insist on logging their activities on a log server and on server itself. Their clients from where they are acting will log things also. Beside that there are a lot of other things you can log on a server/LAN to have either direct proof or indirect proof. E. g. Usually you have an iptables rule catching ssh and writing every access to a log. You will get at least the client IP. PAM is usually logging also (direct proof).

IMO it does not make sense to avoid this specific log entry. If you are trying to do evil things either delete the logs completely or "scramble" them to make them unusefull; if you want to avoid/delay detection. But then you want to have access to all logging facilities.

tmomas · October 2, 2020, 8:37pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.