HPE Community
Operating System - Linux
1753795 Members
6897 Online
108799 Solutions
New Discussion юеВ

Re: SU activity in the SULOG - "+0"

 
Suriah
New Member

тАО06-25-2008 12:07 AM

тАО06-25-2008 12:07 AM

SU activity in the SULOG - "+0"

Hi,
I noticed that in some instances the SULOG contains something like "SU 09/16 10:34 +0 root super".

What does "+0" means?
0 Kudos
Reply
7 REPLIES 7
Dennis Handly
Acclaimed Contributor

тАО06-27-2008 05:18 PM

тАО06-27-2008 05:18 PM

Re: SU activity in the SULOG - "+0"

On HP-UX that "0" field is the tty of who did it. "+" means successful and 0 may be an indicator there was no tty? (HP-UX has "???".)
0 Kudos
Reply
Suriah
New Member

тАО06-29-2008 05:33 PM

тАО06-29-2008 05:33 PM

Re: SU activity in the SULOG - "+0"

Thanks. Does it mean that the SU was triggered by system program or daemon?
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО07-01-2008 01:28 AM

тАО07-01-2008 01:28 AM

Re: SU activity in the SULOG - "+0"

>Does it mean that the SU was triggered by system program or daemon?

I suppose by those too.
But in most cases, cron or at/batch wouldn't have a tty.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО07-01-2008 01:39 AM

тАО07-01-2008 01:39 AM

Re: SU activity in the SULOG - "+0"

Hmm, I just took another look and I see entries with:
+ 14 old-new # done by sudo type command?
+ tty?? old-new # done by cron?
+ ttyq3 old-new

So I'm not sure how that 14 or 0 maps to a tty?
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО07-01-2008 05:26 AM

тАО07-01-2008 05:26 AM

Re: SU activity in the SULOG - "+0"

tty?? means the su command was unable to determine the tty used, probably because there was none (e.g. when a cron job executes the su command).

ttyq3 refers to legacy BSD-style pseudo-TTY /dev/ttyq3.

The plain number might refer to new-style pseudo-TTYs (the number 0 meaning /dev/pts/0, etc...), if your su command shortens the tty name all the way to the right-most slash. In this case, your su command might need a patch.

The su command of my Debian 4.0 workstation outputs /dev/pts/0 as "pts/0" in the su log message. This su command is part of login-4.0.18.1-7_i386.deb package.

MK
MK
0 Kudos
Reply
Suriah
New Member

тАО07-01-2008 05:15 PM

тАО07-01-2008 05:15 PM

Re: SU activity in the SULOG - "+0"

Thanks. In any case, would you guys consider this as a security/audit issue?
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО07-02-2008 04:37 AM

тАО07-02-2008 04:37 AM

Re: SU activity in the SULOG - "+0"

>would you guys consider this as a security/audit issue?

In what way? That you don't have enough detailed info?
You know who did it and when. You just need to track down the login info for that user.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.