HPE Community
Operating System - HP-UX
1751693 Members
4586 Online
108781 Solutions
New Discussion юеВ

Re: su logs

 
SOLVED
Go to solution
Md. Farhan A Azam
Trusted Contributor

тАО05-31-2009 07:10 PM

тАО05-31-2009 07:10 PM

su logs

Hi Gurus,

All su id i can get from syslog.log, but can you pls tell me that from where we can check that commnds executed by the user who has done su from normal userid to root.

OS - 11.11
Server - SD32A, RP4440, RP3440

thnx...farhan
0 Kudos
10 REPLIES 10
Jeeshan
Honored Contributor

тАО05-31-2009 07:32 PM

тАО05-31-2009 07:32 PM

Re: su logs

You can find the su log from /var/adm/sulog.

Normally you can see the .sh_history file to see what is executed by the user at that time.
a warrior never quits
0 Kudos
Basheer_2
Trusted Contributor

тАО05-31-2009 08:47 PM

тАО05-31-2009 08:47 PM

Re: su logs

Yes,

Ahsan is right.

This is what I used to do.
We also modify the user .profile and make the history file with the date and time stamp.
each time the user logins all the commands are logged into that file (that has date-time stamps).

The drawback of this is there are too many files created. for example if the user logs in and logs out 100 times, there are 100 files created.

if you go this route then, you may need to cron this to get rid of these files.

let me know if you need the profile I will cut and paste it.
0 Kudos
Suraj K Sankari
Honored Contributor

тАО05-31-2009 08:49 PM

тАО05-31-2009 08:49 PM

Re: su logs

Hi,
From syslog.log you can find out which user is using "su" command.

>>from where we can check that commnds executed by the user

Go to that users home directiory and check .sh_history file there you can find the commands.

Suraj
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО05-31-2009 10:22 PM

тАО05-31-2009 10:22 PM

Re: su logs

>where we can check that commands executed by the user who has done su from normal userid to root.

You can't accurately do this. If the user does "su -", you could look at root's history file but the user could erase it. If no "-", again the user could erase his history.

One suggestion is to use sudo for "each" command so they are all logged.
0 Kudos
Md. Farhan A Azam
Trusted Contributor

тАО05-31-2009 10:58 PM

тАО05-31-2009 10:58 PM

Re: su logs

Hi Gurus,

i checked in .sh_history, but the command which i am executing is not getting logged in history.

thnx...farhan
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО05-31-2009 11:31 PM

тАО05-31-2009 11:31 PM

Re: su logs

>I checked in .sh_history,

Which su(1) option did you use, "-"?
Which .sh_history? What does "echo $HISTFILE" show once you su?

This is why this isn't accurate.
0 Kudos
Md. Farhan A Azam
Trusted Contributor

тАО06-01-2009 08:14 PM

тАО06-01-2009 08:14 PM

Re: su logs

Hi Dennis,

i use "su -", and its geeting logged in sulog, but the other commands which i am executing (i.e. top, bdf)is not getting logged in .sh_history of root.


thnx...farhan
0 Kudos
Md. Farhan A Azam
Trusted Contributor

тАО06-01-2009 08:22 PM

тАО06-01-2009 08:22 PM

Re: su logs

echo $HISTFILE

its shows,
# echo $HISTFILE
sh: HISTFILE: Parameter not set.
#
#
# echo $ HISTFILE
$ HISTFILE
#

thnx...farhan
0 Kudos
Dennis Handly
Acclaimed Contributor

тАО06-01-2009 11:38 PM

тАО06-01-2009 11:38 PM

Solution

Re: su logs

># echo $HISTFILE
sh: HISTFILE: Parameter not set.

Since root doesn't have a history file, nothing will be logged. You must set HISTFILE in your .profile.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.