System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Message when someone su root

Message when someone su root

Hi,
I have a dgux 4.0f box and I would like to know if there is a way to notify the sysadmin that someone tried to su root or tried to log with the root account.

I saw how Polycenter works but I can't buy such a tool.

Thanks a lot.
Ezra
6 REPLIES
Ralf Puchner
Honored Contributor

Re: Message when someone su root

have a look to an older entry talking about syslogd. There are 3 options for a solution.
Help() { FirstReadManual(urgently); Go_to_it;; }

Re: Message when someone su root

Thanks Ralph!
Ezra
Caesar_3
Esteemed Contributor

Re: Message when someone su root

Hello!

You can write a script that will the the log
and do what you want, run it in cron.
You can use the syslog deamon options
and configure that it will do something when
su will made and came to syslogd.

Caesar
Michael Elleby III_1
Trusted Contributor

Re: Message when someone su root

Here is what I did because I had to give a couple of other people the root pswd (i.e. Security group) and Tru64 does not have a lastb command although it has a last command:

1. Removed 'ptys' from the /etc/securettys file so that direct root login cannot be done from any machine besides the console.

2. In the event that an individual is successful logging in as root, echo the LOGNAME (if the user did an su) and Modify root's profile with a sendmail command and include a text file that indicates that someone logged in as root:

sendmail you@yourcompany.com < /nameoftextfile]

Now I know that you can execute su without the '-' to inhibit the profile, but this might help.

Mike-



Knowledge Is Power

Re: Message when someone su root

Thanks.
You were all very helpful.

Ezra
Michael Schulte zur Sur
Honored Contributor

Re: Message when someone su root

An su to root you'll find in
/var/adm/syslog.dated/current/auth.log

regards,

Michael Schulte