HPE Community
Operating System - HP-UX
1833847 Members
2174 Online
110063 Solutions
New Discussion

Capturing su bandits

 
SOLVED
Go to solution
Chris_226
Occasional Contributor

‎12-07-2002 06:02 PM

‎12-07-2002 06:02 PM

Capturing su bandits

Hello,
I am an application admin for my company and I am trying to find out how I can modify a HP-UX Unix account to capture "su" logging. I am interested in knowing how an SA would enable su logging when a user uses "su -" but also, I am trying to find out how to capture su logging when a user uses "su" only.

I am wanting this because I have an application account that uses tcsh and someone keeps disabling the account by using the wrong password. I don't want to bog down my SA with doing the leg-work, so I am researching it myself.

Any ideas?

One idea a co-worker mentioned was to modify the .cshrc so that when a user su's to an account using only "su" a log file captures their user ID. I have no idea how to do that.

Thanks for your time. Have a great day...
Greenhorn
0 Kudos
Reply
5 REPLIES 5
Michael Tully
Honored Contributor

‎12-07-2002 08:01 PM

‎12-07-2002 08:01 PM

Solution

Re: Capturing su bandits

Hi,

Each attempt to 'su' or 'su -' is captured in the '/var/adm/sulog' file. The attempts that have been successful are highlighted with a '+' and those unsucessful with a '-'. You can also look in the /var/adm/syslog/syslog.log file.

Below is a quick one-liner argument that you could use. I've used 'root' as my example, you could change this to your application account, and even run it periodically from cron.

cat /var/adm/sulog | awk '$4 == "-" {print $0}' | grep 'root$'


HTH
Michael
Anyone for a Mutiny ?
Reply
Chris_226
Occasional Contributor

‎12-07-2002 08:05 PM

‎12-07-2002 08:05 PM

Re: Capturing su bandits

That looks like great advice. I will have to notify my SA, since I don't have permission to view the /var/adm/sulog as it stands.

Is there something that can be enabled on the user side to capture su information or is the best and only solution through the "sulog"?

(Maybe I can convince my SA to parse out a report for me about my "problematic" account)

Thanks again.
Greenhorn
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎12-07-2002 08:13 PM

‎12-07-2002 08:13 PM

Re: Capturing su bandits

Check if you have the file: /var/adm/btmp (older HP-UX versions did not have this file by default) If that file is available, then use the command: lastb to read this file. Suppose the application account is called apacct:

lastb -R apacct

which will show all failed logins WITH the terminal ID too. If the terminal is a telnet session, it will show the user's IP address or hostname. NOTE: if btmp is not readable by you, the sysadmin will have to run this command for you. Since a disabled account implies a Trusted system, so the sysadmin can simply look at the account's status and see the details of when it was disabled.


Bill Hassell, sysadmin
0 Kudos
Reply
Chris_226
Occasional Contributor

‎12-07-2002 08:18 PM

‎12-07-2002 08:18 PM

Re: Capturing su bandits

Excellent. I will have (beg) the SA run the command for me. I am sure it will be a fun experiment for the both of us.

Thanks a million, again.
Greenhorn
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎12-08-2002 07:18 AM

‎12-08-2002 07:18 AM

Re: Capturing su bandits

Beg? Normally, any sysadmin would want to know every day about accounts that have becomne disabled since that is one of the first signs of a security problem. I always run a cron job daily that summarizes all disabled accounts. There is a -v option that also shows accounts that were disabled prior to converting to Trusted (typically these are service accounts like bin and sys, etc). The command /usr/lbin/getprpw is quite useful to decode all the pertinent info. You'll need the man page from an 11i system of from http://docs.hp.com


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.