https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934761#M14451 The sialog file is designed for temporary use in debugging sia problems, it is not designed for long term use as an auditing tool. Leaving the sialog running for long periods can cause serious problems on your system including performance problems with logins, filling up the /var filesystem, and potential system hangs. <BR /><BR />To audit the use of the su command you can use the audit subsystem. See the Security Administration manual for information on the audit subsystem.<BR /><BR />Ann Majeske Wed, 19 Oct 2005 15:36:30 GMT Ann Majeske 2005-10-19T15:36:30Z https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934757#M14447 Hi Admins,<BR />some users use su command to become root user<BR />I want to know how can I dicover these users<BR />please advise. Wed, 19 Oct 2005 08:04:47 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934757#M14447 jousif 2005-10-19T08:04:47Z https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934758#M14448 In order for a user to become root using 'su' they have to be part of the 'system' group.<BR /><BR />I guess the easiest way to see who's in the system group is to look in the /etc/group file.<BR /><BR />Vic<BR /> Wed, 19 Oct 2005 08:10:28 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934758#M14448 Victor Semaska_3 2005-10-19T08:10:28Z https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934759#M14449 view sulog file for view successful attempts of su.<BR /><BR />Awadhesh Wed, 19 Oct 2005 09:08:11 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934759#M14449 AwadheshPandey 2005-10-19T09:08:11Z https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934760#M14450 Create a file called /var/adm/sialog. This file will log security related records, and the use of su, like this:<BR /><BR />Successful authentication for su from root to ferreiri Wed, 19 Oct 2005 09:29:02 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934760#M14450 Ivan Ferreira 2005-10-19T09:29:02Z https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934761#M14451 The sialog file is designed for temporary use in debugging sia problems, it is not designed for long term use as an auditing tool. Leaving the sialog running for long periods can cause serious problems on your system including performance problems with logins, filling up the /var filesystem, and potential system hangs. <BR /><BR />To audit the use of the su command you can use the audit subsystem. See the Security Administration manual for information on the audit subsystem.<BR /><BR />Ann Majeske Wed, 19 Oct 2005 15:36:30 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934761#M14451 Ann Majeske 2005-10-19T15:36:30Z https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934762#M14452 You could always check out the /var/adm/syslog.dated/current/auth.log file. Thu, 20 Oct 2005 06:30:20 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934762#M14452 Deb Kenney 2005-10-20T06:30:20Z https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934763#M14453 The sialog file won't be a problem, we use that, and we use the /usr/lbin/logclean command to rotate the file. Thu, 20 Oct 2005 06:39:09 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934763#M14453 Ivan Ferreira 2005-10-20T06:39:09Z https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934764#M14454 Ivan,<BR /><BR />Just because you haven't had any problems using sialog all the time (that you have been able to attribute to using sialog), doesn't mean that everyone can use sialog all the time. I have seen examples of all the problems that I listed on systems with the sialog left enabled for long periods of time. <BR /><BR />The sialog was designed to only be used short term to diagnose sia related problems. I was on the development team, I talked to the people who developed it. It was a documentation error in the man page that this restriction was not clearly stated in the man page as originally written.<BR /><BR />Ann Fri, 21 Oct 2005 12:56:15 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934764#M14454 Ann Majeske 2005-10-21T12:56:15Z https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934765#M14455 Ann Majeske, thanks for the information. I did not readed that in the security manual. But, is su operations logged anywhere else? We have all in debug mode in syslog but it does not works. Fri, 21 Oct 2005 13:32:16 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934765#M14455 Ivan Ferreira 2005-10-21T13:32:16Z https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934766#M14456 Ivan,<BR /><BR />As I stated in my previous reply, you can use the Audit subsystem to audit the use of the su command. See the Security Administration manual for more information.<BR /><BR />Ann<BR /> Fri, 21 Oct 2005 15:55:58 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934766#M14456 Ann Majeske 2005-10-21T15:55:58Z https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934767#M14457 many thanks to alls, Mon, 19 Dec 2005 03:18:33 GMT https://community.hpe.com/t5/operating-system-tru64-unix/how-to-know-who-use-su-command/m-p/4934767#M14457 jousif 2005-12-19T03:18:33Z