- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: I want to get a mail whenever a user is using ...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-23-2009 10:22 AM
тАО05-23-2009 10:22 AM
There five Unix admins are working in my company. so i want to monitor which user is using root access at which time.
so i want to send a mail automatically whenever a user is using "su -" to get the root access.
is it posibble.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-23-2009 12:45 PM
тАО05-23-2009 12:45 PM
SolutionYou could add the following to the end of your 'root' .profile. It will mail the 'root' account a message indicating an 'su' to the root account. You can change the mail address to be yourself if you wish.
WHO=$(whoami|awk '{print $1}')
[ "$(logname)" != "${WHO}" ] && \
echo "$(logname) has 'su'ed to 'root'"|mailx -s "NEW ROOT USER!" root
...
Of course, the '/var/adm/sulog' file will show you successful and unsuccessful 'su' events, too. This is the standard place to look for a history of these transitions.
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-23-2009 12:53 PM
тАО05-23-2009 12:53 PM
Re: I want to get a mail whenever a user is using "su -" to get root access.
a lot of possible ways are there. Some of them using monitoring programs like ovo, nagios. or you can use a script to monitor /var/adm/sulog and mail when su to root is reliased.
Sample script:
#!/usr/bin/sh
tail -f /var/adm/sulog |
while read line
do
case "$line" in
*root*) printf "%s\n" "$line" |mailx -s "switch to root" user@domain.com
;;
esac
done
Kenan.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-23-2009 02:39 PM
тАО05-23-2009 02:39 PM
Re: I want to get a mail whenever a user is using "su -" to get root access.
Do you care if the user leaves out the "-"? In that case JRF's suggestion won't work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-23-2009 04:42 PM
тАО05-23-2009 04:42 PM
Re: I want to get a mail whenever a user is using "su -" to get root access.
# logins -d
Then write a script that monitors /var/adm/sulog looking fir new entries.
Make sure that root's .profile has .sh_history enabled with HISTFILE=$HOME/.sh_history and a long HISTSIZE:
export HISTFILE=$HOME/.sh_history
export HISTSIZE=5000
Make copies of root's .sh_history in a secure location, perhaps on another computer.
Finally, all sysadmins must not use root to perform non-root tasks. A better choice is to use sudo which restricts the commands and parameters for privileged users. And of soures, everything is logged.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-23-2009 09:34 PM
тАО05-23-2009 09:34 PM
Re: I want to get a mail whenever a user is using "su -" to get root access.
This is the way we did.
disable root logins
for admins, create rootadm1 rootadm2 etc
then
grep for su for these uses from /var/adm/sulog
schedule in cron to e-mail the grep results.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-24-2009 03:08 AM
тАО05-24-2009 03:08 AM
Re: I want to get a mail whenever a user is using "su -" to get root access.
Pls give your full script.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-24-2009 03:58 AM
тАО05-24-2009 03:58 AM
Re: I want to get a mail whenever a user is using "su -" to get root access.
your script is well suiting for my needs.
But it is not working when we are using "su" instead "su -" as Dennis Handly said.
How to solve this.
And i want to get a mail when exit from root user.
And One more thing i want to add that i want to monitor that what are commands has been entered by sued user.
Hi Bill Hassell,
where we have to run your script like cron and when?.
pls explain.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-24-2009 05:03 AM
тАО05-24-2009 05:03 AM
Re: I want to get a mail whenever a user is using "su -" to get root access.
> But it is not working when we are using "su" instead "su -" as Dennis Handly said.
Yes, that's true. You specifically asked for "...mail whenever a user is using "su -" to get root access" so that's the solution I offered.
I think Kenan Erdey's solution, using a continuous 'tail' of the '/var/adm/sylog' is a much better solution than mine for several reasons. Think about it.
Regards!
...JRF...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-24-2009 09:41 AM
тАО05-24-2009 09:41 AM
Re: I want to get a mail whenever a user is using "su -" to get root access.
for monitoring what root does (after su -) you can check root's history file as mentioned before. or convert the system to trusted mode.
but if you think admins can delete history and you don't trust them, you can send logs to central log server.