topic Re: count root disable in Operating System - HP-UX

count root disable

Jairo Campana — Tue, 18 Dec 2001 17:38:45 GMT

hello, my system this in way trusted and with system security policies somebody disabled account of root .
as I can know who was?

$ su - root
Password:
Account is disabled - see Account Administrator
su: Sorry

Re: count root disable

Patrick Wallek — Tue, 18 Dec 2001 17:47:24 GMT

Once you get roots account re-enalbed you can do a:

# lastb -R | grep root

This will tell you what host (IP address) the login attempt to root came from. From there you can hopefully trace that back to a workstation and figure out who it was.

Re: count root disable

Timothy Czarnik — Tue, 18 Dec 2001 17:47:25 GMT

Jairo,

This could have been caused by someone trying to log in as root more than the allowed number of times. Regardless, you should be able to log in as root at the system console. Give that a shot. Once in, you can take a look at root's history file (.sh_history normally, but not necessarily), use the last command to see who had logged in recently, check the /var/adm/syslog/syslog.log to see who used the su command to become root.

-Tim

Re: count root disable

Sridhar Bhaskarla — Tue, 18 Dec 2001 18:04:10 GMT

This could be due to either telnet logins or su attempts.

First enable root doing a modprpw -k in single user mode.

Later do an audit

For telnet logins

lastb -R |grep root

And find the third column of IP Address/Hostname

For su attempts

try /var/adm/sulog and look for "-" signs. You will also get it from /var/adm/syslog/syslog.log

grep root /var/adm/syslog/syslog.log |grep su and look for - sign.

-Sri

Re: count root disable

Jeff Machols — Tue, 18 Dec 2001 18:17:04 GMT

to fix the problem you can run /usr/lbin/modprpw -k -l root, but follow the above suggestions to find out why the account was disabled

Re: count root disable

Bill Hassell — Tue, 18 Dec 2001 20:46:17 GMT

Just a matter of policy but it sure simplifies these types of problems: you do have less than 3 people with the root password, right? In that case, just ask them what happened. For systems with more than 3 or 4 sysadmins, I would expect general chaos to be the result unless very strict rules are followed concerning communication.

Another rule is: never login as root unless there is no other way to accomplish the task. If there is no choice, read the first rule again...most of the 'oops' mistakes by sysadmins are due to casual usage of the root account.

FYI: last and lastb both have methods to filter out a user name:

# lastb -R -20 root

for example.