System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

SU activity in the SULOG - "+0"

 
Suriah
Occasional Visitor

SU activity in the SULOG - "+0"

Hi,
I noticed that in some instances the SULOG contains something like "SU 09/16 10:34 +0 root super".

What does "+0" means?
7 REPLIES
Dennis Handly
Acclaimed Contributor

Re: SU activity in the SULOG - "+0"

On HP-UX that "0" field is the tty of who did it. "+" means successful and 0 may be an indicator there was no tty? (HP-UX has "???".)
Suriah
Occasional Visitor

Re: SU activity in the SULOG - "+0"

Thanks. Does it mean that the SU was triggered by system program or daemon?
Dennis Handly
Acclaimed Contributor

Re: SU activity in the SULOG - "+0"

>Does it mean that the SU was triggered by system program or daemon?

I suppose by those too.
But in most cases, cron or at/batch wouldn't have a tty.
Dennis Handly
Acclaimed Contributor

Re: SU activity in the SULOG - "+0"

Hmm, I just took another look and I see entries with:
+ 14 old-new # done by sudo type command?
+ tty?? old-new # done by cron?
+ ttyq3 old-new

So I'm not sure how that 14 or 0 maps to a tty?
Matti_Kurkela
Honored Contributor

Re: SU activity in the SULOG - "+0"

tty?? means the su command was unable to determine the tty used, probably because there was none (e.g. when a cron job executes the su command).

ttyq3 refers to legacy BSD-style pseudo-TTY /dev/ttyq3.

The plain number might refer to new-style pseudo-TTYs (the number 0 meaning /dev/pts/0, etc...), if your su command shortens the tty name all the way to the right-most slash. In this case, your su command might need a patch.

The su command of my Debian 4.0 workstation outputs /dev/pts/0 as "pts/0" in the su log message. This su command is part of login-4.0.18.1-7_i386.deb package.

MK
MK
Suriah
Occasional Visitor

Re: SU activity in the SULOG - "+0"

Thanks. In any case, would you guys consider this as a security/audit issue?
Dennis Handly
Acclaimed Contributor

Re: SU activity in the SULOG - "+0"

>would you guys consider this as a security/audit issue?

In what way? That you don't have enough detailed info?
You know who did it and when. You just need to track down the login info for that user.