- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Auditing only when user does sudo su - or sudo su ...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2004 07:23 AM
09-27-2004 07:23 AM
Auditing only when user does sudo su - or sudo su -o loginname
We need to activate auditing on all our HP-UX 11i systems and wish to start auditing users onlyn when the isssue a sudo su - or sudo su - loginname.
Example:
me@hphost: sudo su - oracle
or
me@hphost: sudo su -
I want to log everything only from this point until the user does exit and goes back to his prompt.
Is that possible ? If so, how ?
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2004 07:29 AM
09-27-2004 07:29 AM
Re: Auditing only when user does sudo su - or sudo su -o loginname
Auditing doesn't really provide much flexibility. You have to work around it to get what you wanted.
In this case what I would do is
1. Make 'oracle' account as su'able only.
2. Enable Auditing but audit only the user 'oracle'.
This way all the activity of oracle will be tracked. Even if you don't make it 'su'able only', auditing will be limited to only that user. If you want to grab the data only for the su'ed oracle sessions, then you can get the tty from /var/adm/sulog and filter out the entries corresponding to it using 'audisp -u oracle -l
-Sri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-28-2004 12:02 AM
09-28-2004 12:02 AM
Re: Auditing only when user does sudo su - or sudo su -o loginname
While thinking of this issue twice, I think I should focus on the su command which is the key.
What we need to do exactly is that any user are monitored in audit as soon as they do the su command.
su -
su - oracle
su - anyuser (because we have many application related loginname)
So the perfect solution would be that as soon as the su command is invoked, everything from this point is audited.
But I honestly doubt that this 'perfect' solution is feasible.
Is HP-UX auditing be tweaked to do this ? How ?
Do you know something (product) that would do this job ?
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-28-2004 01:36 AM
09-28-2004 01:36 AM
Re: Auditing only when user does sudo su - or sudo su -o loginname
We can do this as,
1> move origianal su binary /usr/bin/su to /usr/bin/suorg ( Nobody has to know this here :-) or unknown name or super or stepuser )
2> make a script so that act as su binary and execute with renamed binary with this options there.
3> You can enable monitoring there with script commad as
.....
script -qa /tmp/logfile.$LOGNAME
/usr/bin/suorg $@ | sh
...
You can monitor everything here.
It will be halpful to log everything to monitoring effectively there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-28-2004 02:24 AM
09-28-2004 02:24 AM
Re: Auditing only when user does sudo su - or sudo su -o loginname
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-28-2004 08:26 AM
09-28-2004 08:26 AM
Re: Auditing only when user does sudo su - or sudo su -o loginname
I am not positive about restricting Auditing to start only after 'su' command. You can control Auditing with two variables - events (and system calls) and users. I don't think you will get much combinations with them that are enough for what you want.
The best possible solution in my view is to enable auditing for only selective users. Let it record all the activity. You can always filter out what you want using 'audisp' command. Best bet is to use a combination of the 'user' and 'tty' options of 'audisp' after obtaining the information from sulog.
I worked on SeOS (Now eTrust access control) that can do miracles for you. Basically you put the 'script' statement in their 'readonly profile' (or in /etc/profile)) and redirect the output to a secured location. You can control access to any file using SeOS so that user will not be able to read/edit his/her profile as well the script output file through regular commands though he is the owner of the file. Or, modify /etc/profile (csh.login) to run 'script' only for the su'ing users. Review the 'script logs' periodically.
-Sri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2004 01:13 AM
09-29-2004 01:13 AM
Re: Auditing only when user does sudo su - or sudo su -o loginname
I'm getting very close to the solution;
I wrote a small perl script that will call /usr/bin/su after doing a script command to log everything.
The line that initiate this is...
system("script -a $LOGFILENAME | /usr/bin/su $P0 $P1 | /usr/bin/ksh");
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2004 01:18 AM
09-29-2004 01:18 AM
Re: Auditing only when user does sudo su - or sudo su -o loginname
I'm getting very close to the solution;
I wrote a small perl script that will call /usr/bin/su after doing a script command to log everything.
The line that initiate this is...
system("script -a $LOGFILENAME | /usr/bin/su $P0 $P1");
where $P0 and $P1 are parameters that are passed by the user.
Example: newsu - oracle
$P0 = -
$P1 = oracle
It prompts for the password but.... freezes there...
Any hints ???
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2004 10:09 AM
10-17-2004 10:09 AM
Re: Auditing only when user does sudo su - or sudo su -o loginname
have a look at http://sourceforge.net/projects/rootsh/
It is a wrapper for a shell which logs every input and output between the calling user's terminal and the shell into a logfile and optionally to a syslog server.
I wrote it, because we have some powerusers or project users who need sometimes root privileges if they install and maintain their software.
"sudo -s", which was formerly used, did not provide enough information about the users' actions.
Now they call "sudo rootsh" and we have a protocol of all their keystrokes on a separate syslogserver.
In your case, you could let users call rootsh as user oracle via a runas spec in /etc/sudoers
me hphost = (oracle) /bin/rootsh
then call "sudo -u oracle rootsh"
We use rootsh heavily at a bavarian car manufacturer, also with hp-ux. In the contrib/hpux directory i put info how to build a hp software package.
There is also a screenshot at http://freshmeat.net/projects/rootsh/
Please let me know if rootsh is of any
use for you.
Greetings from Munich,
Gerhard Lausser