Simpler Navigation for Servers and Operating Systems
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
Operating System - Tru64 Unix
cancel
Showing results for 
Search instead for 
Did you mean: 

how to know who use su command

jousif
Frequent Advisor

how to know who use su command

Hi Admins,
some users use su command to become root user
I want to know how can I dicover these users
please advise.
10 REPLIES
Victor Semaska_3
Esteemed Contributor

Re: how to know who use su command

In order for a user to become root using 'su' they have to be part of the 'system' group.

I guess the easiest way to see who's in the system group is to look in the /etc/group file.

Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
AwadheshPandey
Honored Contributor

Re: how to know who use su command

view sulog file for view successful attempts of su.

Awadhesh
It's kind of fun to do the impossible
Ivan Ferreira
Honored Contributor

Re: how to know who use su command

Create a file called /var/adm/sialog. This file will log security related records, and the use of su, like this:

Successful authentication for su from root to ferreiri
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ann Majeske
Honored Contributor

Re: how to know who use su command

The sialog file is designed for temporary use in debugging sia problems, it is not designed for long term use as an auditing tool. Leaving the sialog running for long periods can cause serious problems on your system including performance problems with logins, filling up the /var filesystem, and potential system hangs.

To audit the use of the su command you can use the audit subsystem. See the Security Administration manual for information on the audit subsystem.

Ann Majeske
Deb Kenney
Occasional Visitor

Re: how to know who use su command

You could always check out the /var/adm/syslog.dated/current/auth.log file.
Ivan Ferreira
Honored Contributor

Re: how to know who use su command

The sialog file won't be a problem, we use that, and we use the /usr/lbin/logclean command to rotate the file.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ann Majeske
Honored Contributor

Re: how to know who use su command

Ivan,

Just because you haven't had any problems using sialog all the time (that you have been able to attribute to using sialog), doesn't mean that everyone can use sialog all the time. I have seen examples of all the problems that I listed on systems with the sialog left enabled for long periods of time.

The sialog was designed to only be used short term to diagnose sia related problems. I was on the development team, I talked to the people who developed it. It was a documentation error in the man page that this restriction was not clearly stated in the man page as originally written.

Ann
Ivan Ferreira
Honored Contributor

Re: how to know who use su command

Ann Majeske, thanks for the information. I did not readed that in the security manual. But, is su operations logged anywhere else? We have all in debug mode in syslog but it does not works.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ann Majeske
Honored Contributor

Re: how to know who use su command

Ivan,

As I stated in my previous reply, you can use the Audit subsystem to audit the use of the su command. See the Security Administration manual for more information.

Ann
jousif
Frequent Advisor

Re: how to know who use su command

many thanks to alls,