topic Re: su logs in Operating System - HP-UX

su logs

Md. Farhan A Azam — Mon, 01 Jun 2009 02:10:59 GMT

Hi Gurus,

All su id i can get from syslog.log, but can you pls tell me that from where we can check that commnds executed by the user who has done su from normal userid to root.

OS - 11.11
Server - SD32A, RP4440, RP3440

thnx...farhan

Re: su logs

Jeeshan — Mon, 01 Jun 2009 02:32:41 GMT

You can find the su log from /var/adm/sulog.

Normally you can see the .sh_history file to see what is executed by the user at that time.

Re: su logs

Basheer_2 — Mon, 01 Jun 2009 03:47:23 GMT

Yes,

Ahsan is right.

This is what I used to do.
We also modify the user .profile and make the history file with the date and time stamp.
each time the user logins all the commands are logged into that file (that has date-time stamps).

The drawback of this is there are too many files created. for example if the user logs in and logs out 100 times, there are 100 files created.

if you go this route then, you may need to cron this to get rid of these files.

let me know if you need the profile I will cut and paste it.

Re: su logs

Suraj K Sankari — Mon, 01 Jun 2009 03:49:18 GMT

Hi,
From syslog.log you can find out which user is using "su" command.

>>from where we can check that commnds executed by the user

Go to that users home directiory and check .sh_history file there you can find the commands.

Suraj

Re: su logs

Dennis Handly — Mon, 01 Jun 2009 05:22:40 GMT

>where we can check that commands executed by the user who has done su from normal userid to root.

You can't accurately do this. If the user does "su -", you could look at root's history file but the user could erase it. If no "-", again the user could erase his history.

One suggestion is to use sudo for "each" command so they are all logged.

Re: su logs

Md. Farhan A Azam — Mon, 01 Jun 2009 05:58:43 GMT

Hi Gurus,

i checked in .sh_history, but the command which i am executing is not getting logged in history.

thnx...farhan

Re: su logs

Dennis Handly — Mon, 01 Jun 2009 06:31:08 GMT

>I checked in .sh_history,

Which su(1) option did you use, "-"?
Which .sh_history? What does "echo $HISTFILE" show once you su?

This is why this isn't accurate.

Re: su logs

Md. Farhan A Azam — Tue, 02 Jun 2009 03:14:59 GMT

Hi Dennis,

i use "su -", and its geeting logged in sulog, but the other commands which i am executing (i.e. top, bdf)is not getting logged in .sh_history of root.

thnx...farhan

Re: su logs

Md. Farhan A Azam — Tue, 02 Jun 2009 03:22:27 GMT

echo $HISTFILE

its shows,
# echo $HISTFILE
sh: HISTFILE: Parameter not set.
#
#
# echo $ HISTFILE
$ HISTFILE
#

thnx...farhan

Re: su logs

Dennis Handly — Tue, 02 Jun 2009 06:38:22 GMT

># echo $HISTFILE
sh: HISTFILE: Parameter not set.

Since root doesn't have a history file, nothing will be logged. You must set HISTFILE in your .profile.

Re: su logs

Md. Farhan A Azam — Mon, 15 Jun 2009 02:40:26 GMT

Hi Dennis,

After configuring HISTFILE & HISTSIZE, it working fine. Thanks to all of you.

thnx...farhan