HPE Community
Operating System - HP-UX
1834167 Members
2676 Online
110064 Solutions
New Discussion

Re: count root disable

 
SOLVED
Go to solution
Jairo Campana
Trusted Contributor

‎12-18-2001 09:38 AM

‎12-18-2001 09:38 AM

count root disable

hello, my system this in way trusted and with system security policies somebody disabled account of root .
as I can know who was?


$ su - root
Password:
Account is disabled - see Account Administrator
su: Sorry

legionx
0 Kudos
Reply
5 REPLIES 5
Patrick Wallek
Honored Contributor

‎12-18-2001 09:47 AM

‎12-18-2001 09:47 AM

Solution

Re: count root disable

Once you get roots account re-enalbed you can do a:

# lastb -R | grep root

This will tell you what host (IP address) the login attempt to root came from. From there you can hopefully trace that back to a workstation and figure out who it was.
Reply
Timothy Czarnik
Esteemed Contributor

‎12-18-2001 09:47 AM

‎12-18-2001 09:47 AM

Re: count root disable

Jairo,

This could have been caused by someone trying to log in as root more than the allowed number of times. Regardless, you should be able to log in as root at the system console. Give that a shot. Once in, you can take a look at root's history file (.sh_history normally, but not necessarily), use the last command to see who had logged in recently, check the /var/adm/syslog/syslog.log to see who used the su command to become root.

-Tim
Hey! Who turned out the lights!
Reply
Sridhar Bhaskarla
Honored Contributor

‎12-18-2001 10:04 AM

‎12-18-2001 10:04 AM

Re: count root disable

This could be due to either telnet logins or su attempts.

First enable root doing a modprpw -k in single user mode.

Later do an audit

For telnet logins

lastb -R |grep root

And find the third column of IP Address/Hostname

For su attempts

try /var/adm/sulog and look for "-" signs. You will also get it from /var/adm/syslog/syslog.log

grep root /var/adm/syslog/syslog.log |grep su and look for - sign.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Jeff Machols
Esteemed Contributor

‎12-18-2001 10:17 AM

‎12-18-2001 10:17 AM

Re: count root disable

to fix the problem you can run /usr/lbin/modprpw -k -l root, but follow the above suggestions to find out why the account was disabled
Reply
Bill Hassell
Honored Contributor

‎12-18-2001 12:46 PM

‎12-18-2001 12:46 PM

Re: count root disable

Just a matter of policy but it sure simplifies these types of problems: you do have less than 3 people with the root password, right? In that case, just ask them what happened. For systems with more than 3 or 4 sysadmins, I would expect general chaos to be the result unless very strict rules are followed concerning communication.

Another rule is: never login as root unless there is no other way to accomplish the task. If there is no choice, read the first rule again...most of the 'oops' mistakes by sysadmins are due to casual usage of the root account.

FYI: last and lastb both have methods to filter out a user name:

# lastb -R -20 root

for example.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.