Simpler Navigation for Servers and Operating Systems
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
Operating System - Tru64 Unix
cancel
Showing results for 
Search instead for 
Did you mean: 

log all who use su command

jousif
Frequent Advisor

log all who use su command

Hi admins,
O.S tru64 V5.1A,pk#1,standard security,
I want to make log for all users in the server
who use su command( to root user and to other)
,and log for all attemps to login server includes
successed and failed,
thanks.
6 REPLIES
Ivan Ferreira
Honored Contributor

Re: log all who use su command

If you create a file called /var/adm/sialog, you will log the use of the su command. But, in this forum, I have found that is not recommended for long term use, only for debug.

Then, your other option is enable auditing, but as you don't have enhanced security, this will not be possible. Also, auditing is more tedious to configure.

So, the my recommendation is:

Do not enable the use of su to anybody, and install SUDO.

Sudo will log all the commands issued as another user or root to a file that you can specify.

Everything that you want to do as root, do it with sudo.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ivan Ferreira
Honored Contributor

Re: log all who use su command

See also:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=983868
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
jousif
Frequent Advisor

Re: log all who use su command

many thanks.
Ann Majeske
Honored Contributor

Re: log all who use su command

Ivan,

The sialog was not designed for use as an auditing tool it was only designed for temporary use in debugging SIA problems. Long term use of the sialog can cause severe problems including performance issues and system hangs. I know this because I have responded to several customer problem reports in this area. PLEASE STOP MENTIONING THE USE OF SIALOG TO OUR OTHER CUSTOMERS!!!

The auditing subsystem is independent of Enhanced Security, YOU DO NOT NEED TO ENABLE ENHANCED SECURITY TO USE AUDITING. I use auditing all the time on my systems that do not have Enhanced Security enabled. The auditing subsystem is the supported and recommended method for auditing things like su and logins. Initial configuration is fairly simple if you use the Audit Configuration from the sysman Configuration menu, but it does require a system reboot if audit is not enabled on the system. su is logged as an "auth_event", so selecting ANY of the generic categories when prompted: Desktop, NIS_server, Networked_system, Server, Timesharing, or Timesharing_extended_audit will get you auditing of su, or you can just select "profile_auth", which only audits logins, logouts, and auth_event. It's only if you want to get more specific about what you audit that it can get complicated.

Using SUDO instead of su to allow other users to do root functions is a good idea. The dop utility, which is supplied with the OS, can be used in a similar fashion.

Ann Majeske, HP Tru64 UNIX Engineering Support
Ivan Ferreira
Honored Contributor

Re: log all who use su command

I menthion the sialog, and then reference to your posts, because is documented that the sialog will do the job. So, if the user search in the documentation, will see that information and may end using it, like i did until you warned me about the issue.

So, I think that is nothing wrong with letting know to the user that.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Ivan Ferreira
Honored Contributor

Re: log all who use su command

And thanks for the clarification about auditing and enhanced security. As we don't run systems without enhanced security, and it's in the security configuration manual with enhanced security, I though that was a pre-requisite.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?