HPE Community
Operating System - HP-UX
1833704 Members
2598 Online
110062 Solutions
New Discussion

Detecting users who have "su"ed to root.

 
Dale Barnes
Advisor

‎12-01-2000 11:29 AM

‎12-01-2000 11:29 AM

Detecting users who have "su"ed to root.

When a user performs an su to root, who does not show this since apparently the su does not modify the utmp file. I am looking for an easy way to identify any and all users who have su'ed to root. I know of a tedious way; executing a 'ps -eH -o pid -o ppid -o user' allows one to trace down an detect if a user has a subshell which is owned by root. This, however, is tedious. I am looking for a simpler way.
"I try to avoid experience; most experience is bad." - Wilde
0 Kudos
Reply
7 REPLIES 7
Rita C Workman
Honored Contributor

‎12-01-2000 11:39 AM

‎12-01-2000 11:39 AM

Re: Detecting users who have "su"ed to root.

Here's a couple tips:
Under /var/adm is sulog...and it shows everyone who did a su

Now under my /var/adm/syslog/syslog.log I also see whenever anyone does a su.....So I do a little script occassionally on this or sulog to check it-example:

cat /var/adm/sulog | grep root$

It looks to see for any line ending in root.....which would mean someone su-d to root...

Regards,
0 Kudos
Reply
Kofi ARTHIABAH
Honored Contributor

‎12-01-2000 11:42 AM

‎12-01-2000 11:42 AM

Re: Detecting users who have "su"ed to root.

Would the file /var/adm/sulog help you? it lists who has used the su command to become who... ie. user to root, root to other users, other users to other users... with timestamps...
nothing wrong with me that a few lines of code cannot fix!
0 Kudos
Reply
Maureen Gunkel
Trusted Contributor

‎12-01-2000 11:42 AM

‎12-01-2000 11:42 AM

Re: Detecting users who have "su"ed to root.

Paul:
There should be a log file in /var/adm called sulog, that might help you.
HTH
Maureen
No matter where you go, there you are.
0 Kudos
Reply
Rick Garland
Honored Contributor

‎12-01-2000 11:49 AM

‎12-01-2000 11:49 AM

Re: Detecting users who have "su"ed to root.

The sulog file will give the details you are looking for
who - what - when
0 Kudos
Reply
Dale Barnes
Advisor

‎12-01-2000 12:09 PM

‎12-01-2000 12:09 PM

Re: Detecting users who have "su"ed to root.

Yes, thanks. I am aware of the sulog file. What I was looking for is an easy to way to ascertain who is CURRENTLY su'ed to root. The sulog will show me who has su'ed to root. The sulog file will have that entry but will not tell me if the user is still logged in to root.
"I try to avoid experience; most experience is bad." - Wilde
0 Kudos
Reply
Paula J Frazer-Campbell
Honored Contributor

‎12-02-2000 09:54 AM

‎12-02-2000 09:54 AM

Re: Detecting users who have "su"ed to root.

Hi Paul

You have a security situation / disaster brewing if your users can su to root ? users will quite happily type rm ?R * and forget where they are and the fact that they are su-ed to root.

If users must have root permissions to carry out certain tasks then you can set them up in restricted SAM or download and install SUDO, which will allow you to set the su commands that a user can run.

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/sudo-1.6.2b1/

Basically give your users just enough and no more.

Paula
If you can spell SysAdmin then you is one - anon
0 Kudos
Reply
Rhonda Thorne
Frequent Advisor

‎12-03-2000 10:55 AM

‎12-03-2000 10:55 AM

Re: Detecting users who have "su"ed to root.

Here is a script I have written and run through cron that shows me all users that have su'd to root ( successful or not). I then mailx it to my exchange account.

echo "Here are the su to root list for yesterday" >> /tmp/sec.list
grep `date +%m/%d` /var/adm/sulog|grep -e "-root" >> /tmp/sec.list
mailx -s "su list" sysadmin2 < /tmp/sec.list
rm /tmp/sec.list
~

Rhonda
Sharing my knowledge of UNIX flavors
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.