topic Re: syslog su messages in Operating System - HP-UX

syslog su messages

Devesh Pant_1 — Sun, 19 Jun 2005 00:40:58 GMT

I am seeing the following messages in my syslog and the syslogs are getting filled with these.
I know that using the syslog parser. I can prune it and I also have other means of extracting the relevant data from the syslog or stat logging su to a separate log file. But I want to understand why am I seeing these root is definitely not su ing to Oracle account. can this be from the Oracle OEM product? or the RAC? Any inputs will be valuable..
Thanks in advance.
Devesh
-------------------------------------
Jun 16 13:15:08 radprod su: + tty?? root-oracle
Jun 16 13:16:06 radprod above message repeats 37 times
Jun 16 13:16:08 radprod su: + tty?? root-oracle
Jun 16 13:35:17 radprod su: + tty?? root-oracle
Jun 16 13:36:06 radprod above message repeats 39 times
Jun 16 13:36:18 radprod su: + tty?? root-oracle
Jun 16 13:55:26 radprod su: + tty?? root-oracle
Jun 16 13:56:06 radprod above message repeats 39 times

Re: syslog su messages

Sudeesh — Sun, 19 Jun 2005 00:54:42 GMT

Hi,
There is a good chance these su attempts are from a cron job as they are repeated every 20m Min. Check your scripts in cron and there logs (cron logs) for clarification.

In case a user is doing this (which I dont really think of!) you need to match the output of last command and syslog by time.

Hope this helps

Sudeesh

Re: syslog su messages

Steven E. Protter — Sun, 19 Jun 2005 01:09:21 GMT

Thats root su - to oracle.

most likely thats programmed into your cron log. At my last job we used that to fire up oracle reports and such.

SEP

Re: syslog su messages

Bill Hassell — Sun, 19 Jun 2005 22:21:46 GMT

sulog tracks everything su does. The majority may not be from a user login but from special scripts, in cron or created by your database admins. If you are the administrator for this system, I would make it point to identify all scripts with this su. Apparently, the scripts are run by root (bad idea) and have the su inside the script.

Re: syslog su messages

Devesh Pant_1 — Sun, 19 Jun 2005 22:53:52 GMT

Well I am the admin of the system and there is nothing in roots cron that is su ing to oracle. I am not sure how and why Oracle cron would assume anything as root. I am going to aske the Oracle DBA on the server but it is so puzzling not to be able to figure out why root is su ing to oracle is shown

Re: syslog su messages

Andrew Cowan — Mon, 20 Jun 2005 01:34:25 GMT

Rather than prune/process you syslog file, why not amend your syslog.conf to send auth messages to a separate file. This would make monitoring much easier.

Re: syslog su messages

Kurt Boyack — Fri, 28 Oct 2005 15:53:16 GMT

Did you ever figure out where these were coming from? I just discovered this myself and do not know what is causing them. Every Oracle database server that I have looked at does this regularly.

Re: syslog su messages

Sandman! — Fri, 28 Oct 2005 17:15:07 GMT

Devesh,

We have similar logins at my site. I traced them a while back to the MC/SG installation. If you have MC/SG on your servers then that's a good starting point to look for those su logins. Especially the pkg control script which startups the HA applications.

The MC/SG pkg control script runs as root and is responsible for su'ing to the app id and either starting up or shutting down the associated application, one of them being Oracle...or...

You can simply search files for the "su -" pattern.

# find / -type f -exec grep -il "su -" {} \;

hope it helps!!!

Re: syslog su messages

Kurt Boyack — Fri, 28 Oct 2005 17:37:47 GMT

We're not running ServiceGuard. I think the messages have something to do with backups.

Re: syslog su messages

Sandman! — Mon, 31 Oct 2005 14:14:36 GMT

For Kurt:

Search for files owned by root that contain the su string...

# find / -type f -user root -exec grep -il "su -" {} \;

Re: syslog su messages

Kurt Boyack — Mon, 31 Oct 2005 18:09:44 GMT

It our case it turned out to be NetBackup running Oracle backup scripts.