https://community.hpe.com/t5/operating-system-hp-ux/root-login/m-p/2418176#M765776 Hi Nick,<BR /><BR />All bad logins are stored in the /var/adm/btmp in a binary format. To show <BR />these in a readable format, you use the lastb command (similar to the last <BR />command for successful logins). <BR /><BR />For example:<BR /><BR />fred:/var/adm # lastb<BR />asdf pts/0 Tue Feb 8 07:58 <BR />asdf pts/0 Tue Feb 8 07:58 <BR />root pts/0 Tue Feb 8 07:58 <BR />root pts/tc Fri Feb 4 15:05 <BR />root pts/tc Fri Feb 4 15:05 <BR /><BR />As far as scripting it goes, it depends on how quickly you want to get this <BR />information. To be honest, I can't think of an easy way to trigger this <BR />instantly. <BR /><BR />What you can do though is schedule a cron job to check if the btmp file has <BR />changed and display the last records since changing. Or, if you don't want the <BR />info in it you can empty the file each time and just do a lastb to show <BR />everything in it. This will also help maintain the size of the file.<BR /><BR />You could set this to run every minute, or once a day to produce a report each <BR />morning.<BR /><BR />You may also want to look at the security and auditing options available <BR />through SAM. If you are running a trusted system (C2 level security) then you <BR />can do more in terms of auditing.<BR /><BR />Hope this helps...<BR /><BR />Cheers,<BR />Andrew Schafer<BR />Australian Response Centre Mon, 07 Feb 2000 13:26:47 GMT Andrew Schafer_2 2000-02-07T13:26:47Z https://community.hpe.com/t5/operating-system-hp-ux/root-login/m-p/2418175#M765775 I would like to configure a script likely, that will email me when someone has <BR />tried to logon as root and failed.<BR /><BR />Thanks,<BR /><BR />Nickd<BR /><BR /><BR /> Mon, 07 Feb 2000 11:27:26 GMT https://community.hpe.com/t5/operating-system-hp-ux/root-login/m-p/2418175#M765775 Nick D'angelo_3 2000-02-07T11:27:26Z https://community.hpe.com/t5/operating-system-hp-ux/root-login/m-p/2418176#M765776 Hi Nick,<BR /><BR />All bad logins are stored in the /var/adm/btmp in a binary format. To show <BR />these in a readable format, you use the lastb command (similar to the last <BR />command for successful logins). <BR /><BR />For example:<BR /><BR />fred:/var/adm # lastb<BR />asdf pts/0 Tue Feb 8 07:58 <BR />asdf pts/0 Tue Feb 8 07:58 <BR />root pts/0 Tue Feb 8 07:58 <BR />root pts/tc Fri Feb 4 15:05 <BR />root pts/tc Fri Feb 4 15:05 <BR /><BR />As far as scripting it goes, it depends on how quickly you want to get this <BR />information. To be honest, I can't think of an easy way to trigger this <BR />instantly. <BR /><BR />What you can do though is schedule a cron job to check if the btmp file has <BR />changed and display the last records since changing. Or, if you don't want the <BR />info in it you can empty the file each time and just do a lastb to show <BR />everything in it. This will also help maintain the size of the file.<BR /><BR />You could set this to run every minute, or once a day to produce a report each <BR />morning.<BR /><BR />You may also want to look at the security and auditing options available <BR />through SAM. If you are running a trusted system (C2 level security) then you <BR />can do more in terms of auditing.<BR /><BR />Hope this helps...<BR /><BR />Cheers,<BR />Andrew Schafer<BR />Australian Response Centre Mon, 07 Feb 2000 13:26:47 GMT https://community.hpe.com/t5/operating-system-hp-ux/root-login/m-p/2418176#M765776 Andrew Schafer_2 2000-02-07T13:26:47Z https://community.hpe.com/t5/operating-system-hp-ux/root-login/m-p/2418177#M765777 Probably a good idea is to disable root login from anything other than the <BR />console via /etc/securetty then you can monitor the sulog by doing something <BR />like this from a cron job<BR /><BR />grep " - " /var/adm/sulog | grep -i root | mail username<BR /><BR />This will give you all bad su attempts, change the - to a + for all the good <BR />attempts. Mon, 07 Feb 2000 21:23:11 GMT https://community.hpe.com/t5/operating-system-hp-ux/root-login/m-p/2418177#M765777 Anthony Goonetilleke_1 2000-02-07T21:23:11Z