HPE Community
Operating System - Tru64 Unix
1752278 Members
4934 Online
108786 Solutions
New Discussion юеВ

how to know who use su command

 
jousif
Frequent Advisor

тАО10-19-2005 01:04 AM

тАО10-19-2005 01:04 AM

how to know who use su command

Hi Admins,
some users use su command to become root user
I want to know how can I dicover these users
please advise.
0 Kudos
10 REPLIES 10
Victor Semaska_3
Esteemed Contributor

тАО10-19-2005 01:10 AM

тАО10-19-2005 01:10 AM

Re: how to know who use su command

In order for a user to become root using 'su' they have to be part of the 'system' group.

I guess the easiest way to see who's in the system group is to look in the /etc/group file.

Vic
There are 10 kinds of people, one that understands binary and one that doesn't.
0 Kudos
AwadheshPandey
Honored Contributor

тАО10-19-2005 02:08 AM

тАО10-19-2005 02:08 AM

Re: how to know who use su command

view sulog file for view successful attempts of su.

Awadhesh
It's kind of fun to do the impossible
0 Kudos
Ivan Ferreira
Honored Contributor

тАО10-19-2005 02:29 AM

тАО10-19-2005 02:29 AM

Re: how to know who use su command

Create a file called /var/adm/sialog. This file will log security related records, and the use of su, like this:

Successful authentication for su from root to ferreiri
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Ann Majeske
Honored Contributor

тАО10-19-2005 08:36 AM

тАО10-19-2005 08:36 AM

Re: how to know who use su command

The sialog file is designed for temporary use in debugging sia problems, it is not designed for long term use as an auditing tool. Leaving the sialog running for long periods can cause serious problems on your system including performance problems with logins, filling up the /var filesystem, and potential system hangs.

To audit the use of the su command you can use the audit subsystem. See the Security Administration manual for information on the audit subsystem.

Ann Majeske
0 Kudos
Deb Kenney
New Member

тАО10-19-2005 11:30 PM

тАО10-19-2005 11:30 PM

Re: how to know who use su command

You could always check out the /var/adm/syslog.dated/current/auth.log file.
0 Kudos
Ivan Ferreira
Honored Contributor

тАО10-19-2005 11:39 PM

тАО10-19-2005 11:39 PM

Re: how to know who use su command

The sialog file won't be a problem, we use that, and we use the /usr/lbin/logclean command to rotate the file.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Ann Majeske
Honored Contributor

тАО10-21-2005 05:56 AM

тАО10-21-2005 05:56 AM

Re: how to know who use su command

Ivan,

Just because you haven't had any problems using sialog all the time (that you have been able to attribute to using sialog), doesn't mean that everyone can use sialog all the time. I have seen examples of all the problems that I listed on systems with the sialog left enabled for long periods of time.

The sialog was designed to only be used short term to diagnose sia related problems. I was on the development team, I talked to the people who developed it. It was a documentation error in the man page that this restriction was not clearly stated in the man page as originally written.

Ann
0 Kudos
Ivan Ferreira
Honored Contributor

тАО10-21-2005 06:32 AM

тАО10-21-2005 06:32 AM

Re: how to know who use su command

Ann Majeske, thanks for the information. I did not readed that in the security manual. But, is su operations logged anywhere else? We have all in debug mode in syslog but it does not works.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Ann Majeske
Honored Contributor

тАО10-21-2005 08:55 AM

тАО10-21-2005 08:55 AM

Re: how to know who use su command

Ivan,

As I stated in my previous reply, you can use the Audit subsystem to audit the use of the su command. See the Security Administration manual for more information.

Ann
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.