https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253158#M331763 Shalom,<BR /><BR />We are under SOX and still allowed to login under root. Hmmm.<BR /><BR /><A href="http://www.hpux.ws/?p=19" target="_blank">http://www.hpux.ws/?p=19</A><BR /><BR />That can create key exchange only root access system to system and comply with your auditors interpretation of SOX<BR /><BR />SEP Mon, 18 Aug 2008 14:45:18 GMT Steven E. Protter 2008-08-18T14:45:18Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253146#M331751 Because of SOX, we are no longer able to login as user root. However, the other sys admin and I login as our usernames and then su to the root account to perform most of our work. We use a SSH terminal session to login. Is there a way to prevent the root account from logging in this manner. I wouls like to give a screenshot to the suditors to prove we are no longer logging in with the root account. They say it is okay that we su to the account. Also am looking in to the logs from user sessions and when I su to root, it logs a login, so I am not sure how to prove that we are no longer loggin in. Fri, 15 Aug 2008 13:28:11 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253146#M331751 Michael G Jaynes 2008-08-15T13:28:11Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253147#M331752 Hi,<BR /><BR />Install SUDO software and configure the super user access to various accounts on sudo configuration file using "visudo".<BR /><BR />Thanks,<BR />Aneesh<BR /><BR /><BR /> Fri, 15 Aug 2008 13:41:12 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253147#M331752 Aneesh Mohan 2008-08-15T13:41:12Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253148#M331753 In /var/adm/syslog/syslog.log you can see who is switching users. For example, when I su to root I get an entry like this:<BR /><BR />Aug 15 10:29:07 freddub su: + tZ matt-root<BR /><BR />That shows that user "matt" is switching to "root," and not logging in directly. Fri, 15 Aug 2008 13:41:23 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253148#M331753 candlejack 2008-08-15T13:41:23Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253149#M331754 Hi Michal<BR />Check the su log the path is /var/adm/sulog<BR />also check user history file which will be in his /home directory.<BR /><BR />Regards<BR />Atul Fri, 15 Aug 2008 14:10:55 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253149#M331754 Prashanth Waugh 2008-08-15T14:10:55Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253150#M331755 Hi ,<BR /><BR />Check the /var/adm/wtmp and /var/adm/utmp<BR />for user logs<BR /><BR />Reagrds<BR />Atul<BR /> Fri, 15 Aug 2008 14:15:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253150#M331755 Prashanth Waugh 2008-08-15T14:15:38Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253151#M331756 Try using sudo for all sysadmin tasks for which you require root level priviledges.<BR /><BR />Stopping root loggin whenever you switch to root id is not a good idea keeping security of box in mind.<BR /><BR />sudo is freely available and easy to configure ...<BR /><BR />regds...DK Sat, 16 Aug 2008 00:32:32 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253151#M331756 Deepak Kr 2008-08-16T00:32:32Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253152#M331757 I think everyone has missed the point so far.<BR /><BR />To disallow root from connecting via ssh you need to modify the sshd_config file and set the option 'PermitRootLogin' to NO'.<BR /><BR />Information available here:<BR /><A href="http://docs.hp.com/en/5992-4213/apas02.html#v1229989" target="_blank">http://docs.hp.com/en/5992-4213/apas02.html#v1229989</A><BR /><BR />(Search for PermitRootLogin. There is also a sample sshd_config file at the bottom of the page.)<BR /> Sat, 16 Aug 2008 02:42:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253152#M331757 Patrick Wallek 2008-08-16T02:42:29Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253153#M331758 Patricks hit the nail on the head.<BR /><BR />In my last role we had to implement the same thing for SOX, you might well find that an auditor will come to keep you company while you run through a set of tasks for them.<BR /><BR />We also had to run a script they gave us which checked system security. <BR /><BR />At least that was the case the last 3 audits i had to deal with. Sat, 16 Aug 2008 10:24:18 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253153#M331758 George_Dodds 2008-08-16T10:24:18Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253154#M331759 Thanks Patrick. That is exactly what I was looking for. Mon, 18 Aug 2008 14:18:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253154#M331759 Michael G Jaynes 2008-08-18T14:18:38Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253155#M331760 However I do not have that file at the path specified. I have 4 of them. Is the path different if I am on HP-UX 11.23? Mon, 18 Aug 2008 14:31:18 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253155#M331760 Michael G Jaynes 2008-08-18T14:31:18Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253156#M331761 My sshd_config file is in /etc/opt/ssh.<BR /><BR />Note that there is an sshd_config and an ssh_config (without the 'd').<BR /><BR />Details on each are available in the man pages (man ssh_config ; man sshd_config). In a nutshell ssh_config is the client config. sshd_config is the ssh daemon config file. Mon, 18 Aug 2008 14:36:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253156#M331761 Patrick Wallek 2008-08-18T14:36:21Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253157#M331762 I see.<BR />I've got <BR />/opt/ssh/etc/sshd_config<BR />/opt/ssh/newconfig/opt/ssh/etc/sshd_config<BR />/opt/ssh/src/ssh/etc/sshd_config<BR />/opt/ssh/src/ssh/sshd_config<BR /><BR />I am about to see if I can figure out what each is. Thanks for the help.<BR /><BR />Michael Mon, 18 Aug 2008 14:38:32 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253157#M331762 Michael G Jaynes 2008-08-18T14:38:32Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253158#M331763 Shalom,<BR /><BR />We are under SOX and still allowed to login under root. Hmmm.<BR /><BR /><A href="http://www.hpux.ws/?p=19" target="_blank">http://www.hpux.ws/?p=19</A><BR /><BR />That can create key exchange only root access system to system and comply with your auditors interpretation of SOX<BR /><BR />SEP Mon, 18 Aug 2008 14:45:18 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253158#M331763 Steven E. Protter 2008-08-18T14:45:18Z https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253159#M331764 &gt;&gt;/opt/ssh/etc/sshd_config<BR />It should be this one.<BR /><BR />&gt;&gt;/opt/ssh/newconfig/opt/ssh/etc/sshd_config<BR />This is a sample file.<BR /><BR />&gt;&gt;/opt/ssh/src/ssh/etc/sshd_config<BR />&gt;&gt;/opt/ssh/src/ssh/sshd_config<BR />Did you comple from source? These appear to be part of the source code.<BR /> Mon, 18 Aug 2008 15:21:53 GMT https://community.hpe.com/t5/operating-system-hp-ux/user-session-logs/m-p/4253159#M331764 Patrick Wallek 2008-08-18T15:21:53Z