HPE Community
Operating System - Tru64 Unix
1752772 Members
5353 Online
108789 Solutions
New Discussion юеВ

Re: log all who use su command

 
jousif
Frequent Advisor

тАО12-20-2005 09:49 PM

тАО12-20-2005 09:49 PM

log all who use su command

Hi admins,
O.S tru64 V5.1A,pk#1,standard security,
I want to make log for all users in the server
who use su command( to root user and to other)
,and log for all attemps to login server includes
successed and failed,
thanks.
0 Kudos
6 REPLIES 6
Ivan Ferreira
Honored Contributor

тАО12-20-2005 10:43 PM

тАО12-20-2005 10:43 PM

Re: log all who use su command

If you create a file called /var/adm/sialog, you will log the use of the su command. But, in this forum, I have found that is not recommended for long term use, only for debug.

Then, your other option is enable auditing, but as you don't have enhanced security, this will not be possible. Also, auditing is more tedious to configure.

So, the my recommendation is:

Do not enable the use of su to anybody, and install SUDO.

Sudo will log all the commands issued as another user or root to a file that you can specify.

Everything that you want to do as root, do it with sudo.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Ivan Ferreira
Honored Contributor

тАО12-20-2005 10:43 PM

тАО12-20-2005 10:43 PM

Re: log all who use su command

See also:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=983868
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
jousif
Frequent Advisor

тАО12-20-2005 11:04 PM

тАО12-20-2005 11:04 PM

Re: log all who use su command

many thanks.
0 Kudos
Ann Majeske
Honored Contributor

тАО12-21-2005 07:18 AM

тАО12-21-2005 07:18 AM

Re: log all who use su command

Ivan,

The sialog was not designed for use as an auditing tool it was only designed for temporary use in debugging SIA problems. Long term use of the sialog can cause severe problems including performance issues and system hangs. I know this because I have responded to several customer problem reports in this area. PLEASE STOP MENTIONING THE USE OF SIALOG TO OUR OTHER CUSTOMERS!!!

The auditing subsystem is independent of Enhanced Security, YOU DO NOT NEED TO ENABLE ENHANCED SECURITY TO USE AUDITING. I use auditing all the time on my systems that do not have Enhanced Security enabled. The auditing subsystem is the supported and recommended method for auditing things like su and logins. Initial configuration is fairly simple if you use the Audit Configuration from the sysman Configuration menu, but it does require a system reboot if audit is not enabled on the system. su is logged as an "auth_event", so selecting ANY of the generic categories when prompted: Desktop, NIS_server, Networked_system, Server, Timesharing, or Timesharing_extended_audit will get you auditing of su, or you can just select "profile_auth", which only audits logins, logouts, and auth_event. It's only if you want to get more specific about what you audit that it can get complicated.

Using SUDO instead of su to allow other users to do root functions is a good idea. The dop utility, which is supplied with the OS, can be used in a similar fashion.

Ann Majeske, HP Tru64 UNIX Engineering Support
0 Kudos
Ivan Ferreira
Honored Contributor

тАО12-21-2005 07:32 AM

тАО12-21-2005 07:32 AM

Re: log all who use su command

I menthion the sialog, and then reference to your posts, because is documented that the sialog will do the job. So, if the user search in the documentation, will see that information and may end using it, like i did until you warned me about the issue.

So, I think that is nothing wrong with letting know to the user that.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Ivan Ferreira
Honored Contributor

тАО12-21-2005 07:46 AM

тАО12-21-2005 07:46 AM

Re: log all who use su command

And thanks for the clarification about auditing and enhanced security. As we don't run systems without enhanced security, and it's in the security configuration manual with enhanced security, I though that was a pre-requisite.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.