HPE Community
Operating System - HP-UX
1752272 Members
4270 Online
108786 Solutions
New Discussion юеВ

Re: I want to get a mail whenever a user is using "su -" to get root access.

 
SOLVED
Go to solution
senthil_kumar_1
Super Advisor

тАО05-23-2009 10:22 AM

тАО05-23-2009 10:22 AM

I want to get a mail whenever a user is using "su -" to get root access.

Hi

There five Unix admins are working in my company. so i want to monitor which user is using root access at which time.

so i want to send a mail automatically whenever a user is using "su -" to get the root access.


is it posibble.
0 Kudos
Reply
15 REPLIES 15
James R. Ferguson
Acclaimed Contributor

тАО05-23-2009 12:45 PM

тАО05-23-2009 12:45 PM

Solution

Re: I want to get a mail whenever a user is using "su -" to get root access.

Hi:

You could add the following to the end of your 'root' .profile. It will mail the 'root' account a message indicating an 'su' to the root account. You can change the mail address to be yourself if you wish.

WHO=$(whoami|awk '{print $1}')
[ "$(logname)" != "${WHO}" ] && \
echo "$(logname) has 'su'ed to 'root'"|mailx -s "NEW ROOT USER!" root

...

Of course, the '/var/adm/sulog' file will show you successful and unsuccessful 'su' events, too. This is the standard place to look for a history of these transitions.

Regards!

...JRF...
Reply
Kenan Erdey
Honored Contributor

тАО05-23-2009 12:53 PM

тАО05-23-2009 12:53 PM

Re: I want to get a mail whenever a user is using "su -" to get root access.

Hi,

a lot of possible ways are there. Some of them using monitoring programs like ovo, nagios. or you can use a script to monitor /var/adm/sulog and mail when su to root is reliased.

Sample script:

#!/usr/bin/sh

tail -f /var/adm/sulog |
while read line
do
case "$line" in
*root*) printf "%s\n" "$line" |mailx -s "switch to root" user@domain.com
;;
esac
done




Kenan.
Computers have lots of memory but no imagination
Reply
Dennis Handly
Acclaimed Contributor

тАО05-23-2009 02:39 PM

тАО05-23-2009 02:39 PM

Re: I want to get a mail whenever a user is using "su -" to get root access.

>whenever a user is using "su -" to get the root access.

Do you care if the user leaves out the "-"? In that case JRF's suggestion won't work.
Reply
Bill Hassell
Honored Contributor

тАО05-23-2009 04:42 PM

тАО05-23-2009 04:42 PM

Re: I want to get a mail whenever a user is using "su -" to get root access.

It sounds like you are having problems with root users making mistakes or violating security requirements. Start by verifying that there are no duplicate root users (possible root kit):

# logins -d

Then write a script that monitors /var/adm/sulog looking fir new entries.

Make sure that root's .profile has .sh_history enabled with HISTFILE=$HOME/.sh_history and a long HISTSIZE:

export HISTFILE=$HOME/.sh_history
export HISTSIZE=5000

Make copies of root's .sh_history in a secure location, perhaps on another computer.

Finally, all sysadmins must not use root to perform non-root tasks. A better choice is to use sudo which restricts the commands and parameters for privileged users. And of soures, everything is logged.


Bill Hassell, sysadmin
Reply
Basheer_2
Trusted Contributor

тАО05-23-2009 09:34 PM

тАО05-23-2009 09:34 PM

Re: I want to get a mail whenever a user is using "su -" to get root access.

Kumar,

This is the way we did.

disable root logins
for admins, create rootadm1 rootadm2 etc

then
grep for su for these uses from /var/adm/sulog

schedule in cron to e-mail the grep results.

Reply
senthil_kumar_1
Super Advisor

тАО05-24-2009 03:08 AM

тАО05-24-2009 03:08 AM

Re: I want to get a mail whenever a user is using "su -" to get root access.

Hi Basheer.

Pls give your full script.
0 Kudos
Reply
senthil_kumar_1
Super Advisor

тАО05-24-2009 03:58 AM

тАО05-24-2009 03:58 AM

Re: I want to get a mail whenever a user is using "su -" to get root access.

Hi James R. Ferguson,

your script is well suiting for my needs.

But it is not working when we are using "su" instead "su -" as Dennis Handly said.

How to solve this.

And i want to get a mail when exit from root user.

And One more thing i want to add that i want to monitor that what are commands has been entered by sued user.



Hi Bill Hassell,

where we have to run your script like cron and when?.

pls explain.

0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО05-24-2009 05:03 AM

тАО05-24-2009 05:03 AM

Re: I want to get a mail whenever a user is using "su -" to get root access.

Hi (again) Senthil:

> But it is not working when we are using "su" instead "su -" as Dennis Handly said.

Yes, that's true. You specifically asked for "...mail whenever a user is using "su -" to get root access" so that's the solution I offered.

I think Kenan Erdey's solution, using a continuous 'tail' of the '/var/adm/sylog' is a much better solution than mine for several reasons. Think about it.

Regards!

...JRF...
Reply
Kenan Erdey
Honored Contributor

тАО05-24-2009 09:41 AM

тАО05-24-2009 09:41 AM

Re: I want to get a mail whenever a user is using "su -" to get root access.

hi,

for monitoring what root does (after su -) you can check root's history file as mentioned before. or convert the system to trusted mode.

but if you think admins can delete history and you don't trust them, you can send logs to central log server.
Computers have lots of memory but no imagination
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.