HPE Community
Operating System - HP-UX
1752577 Members
3941 Online
108788 Solutions
New Discussion юеВ

Re: I want to get a mail whenever a user is using "su -" to get root access.

 
SOLVED
Go to solution
senthil_kumar_1
Super Advisor

тАО05-27-2009 05:18 AM

тАО05-27-2009 05:18 AM

Re: I want to get a mail whenever a user is using "su -" to get root access.

Hi Kenan Erdey,

When we have to run your script?

do we have to configure this in crontab?

what is the time interval?

pls explain.
0 Kudos
Reply
senthil_kumar_1
Super Advisor

тАО05-27-2009 05:22 AM

тАО05-27-2009 05:22 AM

Re: I want to get a mail whenever a user is using "su -" to get root access.

Actually "/root/.sh_histor" all the commands history that has been entered after getting root login.

But the promblem is how to know that what are the commands has been executed by what users?

How to find that these commands are entered by what users?

0 Kudos
Reply
Sunny123_1
Esteemed Contributor

тАО05-27-2009 05:39 AM

тАО05-27-2009 05:39 AM

Re: I want to get a mail whenever a user is using "su -" to get root access.

Hi

Check the sulog file for knowing who has done su login to root.

Regards
Sunny
Reply
Kenan Erdey
Honored Contributor

тАО05-27-2009 05:53 AM

тАО05-27-2009 05:53 AM

Re: I want to get a mail whenever a user is using "su -" to get root access.

Hi,

> When we have to run your script?

just run the script in background. unless you or another root kill the process, it will run in the background check sulog file.

> How to find that these commands are entered by what users?

searched some. i knew, it's not supposed to give user id 0 to users for beeing root, but hp wrote:

http://docs.hp.com/en/5992-3387/ch02s11.html

if users switch to root, you can keep seperate history file according to ip, here is an example:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1220391


Computers have lots of memory but no imagination
Reply
Steven E. Protter
Exalted Contributor

тАО05-27-2009 05:59 AM

тАО05-27-2009 05:59 AM

Re: I want to get a mail whenever a user is using "su -" to get root access.

Shalom,

Honestly, my approach would be to take the output of the above scripts, condense it down into a daily report, in a file and use this script to deliver it:

http://www.hpux.ws/?p=7

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Mel Burslan
Honored Contributor

тАО05-27-2009 06:11 AM

тАО05-27-2009 06:11 AM

Re: I want to get a mail whenever a user is using "su -" to get root access.

Senthil,

As you may or may not have realized, auditing root users after they become root, is next to impossible with the built-in unix tools. Once they access the root level, they have the keys to the kingdom and they can do whatever they want, delete sh_history files, modify syslog and remove all the traces that they were there as root. So, the solution to your problem is questionable at best, using the tools provided the OS.

If you are being chased by the auditors, none of the solutions offered will fly in the face of professional auditors like Deloitte, Price-Waterhouse etc. If you are only looking for this as an information only tool, there are several real good suggestions above, but if you are looking into this as an audit tool, I have some bad news for you: You need to spend money ! Buy/License PowerBroker for hpux from Symark. Using, powerbroker, you can record every keystroke a user does on the system where this software is installed and writes them to a log on a remote server, even this user is root. I have used this product while I was contracting at HP and it is great, alas not cheap.
________________________________
UNIX because I majored in cryptology...
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.