topic Re: I want to get a mail whenever a user is using "su -" to get root access. in Operating System - HP-UX

I want to get a mail whenever a user is using "su -" to get root access.

senthil_kumar_1 — Sat, 23 May 2009 17:22:45 GMT

Hi

There five Unix admins are working in my company. so i want to monitor which user is using root access at which time.

so i want to send a mail automatically whenever a user is using "su -" to get the root access.

is it posibble.

Re: I want to get a mail whenever a user is using "su -" to get root access.

James R. Ferguson — Sat, 23 May 2009 19:45:44 GMT

Hi:

You could add the following to the end of your 'root' .profile. It will mail the 'root' account a message indicating an 'su' to the root account. You can change the mail address to be yourself if you wish.

WHO=$(whoami|awk '{print $1}')
[ "$(logname)" != "${WHO}" ] && \
echo "$(logname) has 'su'ed to 'root'"|mailx -s "NEW ROOT USER!" root

...

Of course, the '/var/adm/sulog' file will show you successful and unsuccessful 'su' events, too. This is the standard place to look for a history of these transitions.

Regards!

...JRF...

Re: I want to get a mail whenever a user is using "su -" to get root access.

Kenan Erdey — Sat, 23 May 2009 19:53:01 GMT

Hi,

a lot of possible ways are there. Some of them using monitoring programs like ovo, nagios. or you can use a script to monitor /var/adm/sulog and mail when su to root is reliased.

Sample script:

#!/usr/bin/sh

tail -f /var/adm/sulog |
while read line
do
case "$line" in
*root*) printf "%s\n" "$line" |mailx -s "switch to root" user@domain.com
;;
esac
done

Kenan.

Re: I want to get a mail whenever a user is using "su -" to get root access.

Dennis Handly — Sat, 23 May 2009 21:39:45 GMT

>whenever a user is using "su -" to get the root access.

Do you care if the user leaves out the "-"? In that case JRF's suggestion won't work.

Re: I want to get a mail whenever a user is using "su -" to get root access.

Bill Hassell — Sat, 23 May 2009 23:42:15 GMT

It sounds like you are having problems with root users making mistakes or violating security requirements. Start by verifying that there are no duplicate root users (possible root kit):

# logins -d

Then write a script that monitors /var/adm/sulog looking fir new entries.

Make sure that root's .profile has .sh_history enabled with HISTFILE=$HOME/.sh_history and a long HISTSIZE:

export HISTFILE=$HOME/.sh_history
export HISTSIZE=5000

Make copies of root's .sh_history in a secure location, perhaps on another computer.

Finally, all sysadmins must not use root to perform non-root tasks. A better choice is to use sudo which restricts the commands and parameters for privileged users. And of soures, everything is logged.

Re: I want to get a mail whenever a user is using "su -" to get root access.

Basheer_2 — Sun, 24 May 2009 04:34:08 GMT

Kumar,

This is the way we did.

disable root logins
for admins, create rootadm1 rootadm2 etc

then
grep for su for these uses from /var/adm/sulog

schedule in cron to e-mail the grep results.

Re: I want to get a mail whenever a user is using "su -" to get root access.

senthil_kumar_1 — Sun, 24 May 2009 10:08:44 GMT

Hi Basheer.

Pls give your full script.

Re: I want to get a mail whenever a user is using "su -" to get root access.

senthil_kumar_1 — Sun, 24 May 2009 10:58:53 GMT

Hi James R. Ferguson,

your script is well suiting for my needs.

But it is not working when we are using "su" instead "su -" as Dennis Handly said.

How to solve this.

And i want to get a mail when exit from root user.

And One more thing i want to add that i want to monitor that what are commands has been entered by sued user.

Hi Bill Hassell,

where we have to run your script like cron and when?.

pls explain.

Re: I want to get a mail whenever a user is using "su -" to get root access.

James R. Ferguson — Sun, 24 May 2009 12:03:24 GMT

Hi (again) Senthil:

> But it is not working when we are using "su" instead "su -" as Dennis Handly said.

Yes, that's true. You specifically asked for "...mail whenever a user is using "su -" to get root access" so that's the solution I offered.

I think Kenan Erdey's solution, using a continuous 'tail' of the '/var/adm/sylog' is a much better solution than mine for several reasons. Think about it.

Regards!

...JRF...

Re: I want to get a mail whenever a user is using "su -" to get root access.

Kenan Erdey — Sun, 24 May 2009 16:41:00 GMT

hi,

for monitoring what root does (after su -) you can check root's history file as mentioned before. or convert the system to trusted mode.

but if you think admins can delete history and you don't trust them, you can send logs to central log server.

Re: I want to get a mail whenever a user is using "su -" to get root access.

senthil_kumar_1 — Wed, 27 May 2009 12:18:02 GMT

Hi Kenan Erdey,

When we have to run your script?

do we have to configure this in crontab?

what is the time interval?

pls explain.

Re: I want to get a mail whenever a user is using "su -" to get root access.

senthil_kumar_1 — Wed, 27 May 2009 12:22:08 GMT

Actually "/root/.sh_histor" all the commands history that has been entered after getting root login.

But the promblem is how to know that what are the commands has been executed by what users?

How to find that these commands are entered by what users?

Re: I want to get a mail whenever a user is using "su -" to get root access.

Sunny123_1 — Wed, 27 May 2009 12:39:06 GMT

Hi

Check the sulog file for knowing who has done su login to root.

Regards
Sunny

Re: I want to get a mail whenever a user is using "su -" to get root access.

Kenan Erdey — Wed, 27 May 2009 12:53:43 GMT

Hi,

> When we have to run your script?

just run the script in background. unless you or another root kill the process, it will run in the background check sulog file.

> How to find that these commands are entered by what users?

searched some. i knew, it's not supposed to give user id 0 to users for beeing root, but hp wrote:

http://docs.hp.com/en/5992-3387/ch02s11.html

if users switch to root, you can keep seperate history file according to ip, here is an example:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1220391

Re: I want to get a mail whenever a user is using "su -" to get root access.

Steven E. Protter — Wed, 27 May 2009 12:59:45 GMT

Shalom,

Honestly, my approach would be to take the output of the above scripts, condense it down into a daily report, in a file and use this script to deliver it:

http://www.hpux.ws/?p=7

SEP

Re: I want to get a mail whenever a user is using "su -" to get root access.

Mel Burslan — Wed, 27 May 2009 13:11:20 GMT

Senthil,

As you may or may not have realized, auditing root users after they become root, is next to impossible with the built-in unix tools. Once they access the root level, they have the keys to the kingdom and they can do whatever they want, delete sh_history files, modify syslog and remove all the traces that they were there as root. So, the solution to your problem is questionable at best, using the tools provided the OS.

If you are being chased by the auditors, none of the solutions offered will fly in the face of professional auditors like Deloitte, Price-Waterhouse etc. If you are only looking for this as an information only tool, there are several real good suggestions above, but if you are looking into this as an audit tool, I have some bad news for you: You need to spend money ! Buy/License PowerBroker for hpux from Symark. Using, powerbroker, you can record every keystroke a user does on the system where this software is installed and writes them to a log on a remote server, even this user is root. I have used this product while I was contracting at HP and it is great, alas not cheap.