HPE Community
Operating System - HP-UX
1833758 Members
2259 Online
110063 Solutions
New Discussion

modify systems "su" for monitoring reasons?

 
SOLVED
Go to solution
Manuel Contreras
Regular Advisor

‎02-16-2005 08:09 AM

‎02-16-2005 08:09 AM

modify systems "su" for monitoring reasons?

I received a request to capture additional info from every su command on a system.

I initially started thinking of the following script, which appeared to work fine until I started looking at crontab entries...

---------------------------------------------------
#!/bin/sh
#the production su is moved to su.hp
#this script takes it's place, and is initiated when an su is called.
#user/requestor information will be captured each time it is initiated.

fileD=`date '+%b%d-%Y'`

if test $2
then
echo "at `date '+%b%d-%Y %H':'%M'` the following user initiated the su command :" >> /root/Security/$fileD-SU.log
echo "`id`" >> /root/Security/$fileD-SU.log
echo "command = su $1 $2" >> /root/Security/$fileD-SU.log
echo "" >> /root/Security/$fileD-SU.log
/usr/bin/su.hp $1 $2
exit
fi

if test $1
then
echo "at `date '+%b%d-%Y %H':'%M'` the following user initiated the su command :" >> /root/Security/$fileD-SU.log
echo "`id`" >> /root/Security/$fileD-SU.log
echo "command = su $1" >> /root/Security/$fileD-SU.log
echo "" >> /root/Security/$fileD-SU.log
/usr/bin/su.hp $1
exit
fi

echo "at `date '+%b%d-%Y %H':'%M'` the following user initiated the su command :" >> /root/Security/$fileD-SU.log
echo "`id`" >> /root/Security/$fileD-SU.log
echo "command = su " >> /root/Security/$fileD-SU.log
echo "" >> /root/Security/$fileD-SU.log
/usr/bin/su.hp
exit
------------------------------------------------


I would like some input on changes that would accommodate su requests like the following:

/usr/bin/su -c user "/home/is/user/scripts/daily.sh" > /apps/is/user/logs/daily.log 2>&1

or

/usr/bin/su -c user /home/is/user/scripts/daily.sh > /apps/is/user/logs/daily.log 2>&1

my system is NOT trusted, and I am beginning to think that implementing this to track additional info may NOT be the best way to accomplish this...

your input is appreciated,
manuel
0 Kudos
Reply
7 REPLIES 7
Patrick Wallek
Honored Contributor

‎02-16-2005 08:20 AM

‎02-16-2005 08:20 AM

Re: modify systems "su" for monitoring reasons?

For what you want to do, I'd look at using SUDO instead. It has built in logging and it can log to syslog.log or a different log file.

http://www.courtesan.com/sudo
0 Kudos
Reply
RAC_1
Honored Contributor

‎02-16-2005 08:20 AM

‎02-16-2005 08:20 AM

Solution

Re: modify systems "su" for monitoring reasons?

How about modifying the script as follows.

if [[ $# -gt o ]]
then
arg_list=$*
echo "at `date '+%b%d-%Y %H':'%M'` the following user initiated the su command :" >> /root/Security/$fileD-SU.log
echo "`id`" >> /root/Security/$fileD-SU.log
echo "command = su $1 $2" >> /root/Security/$fileD-SU.log
echo "" >> /root/Security/$fileD-SU.log
/usr/bin/su.hp $*
exit
fi

if [[ $0 = "su" ]]
then
echo "at `date '+%b%d-%Y %H':'%M'` the following user initiated the su command :" >> /root/Security/$fileD-SU.log
echo "`id`" >> /root/Security/$fileD-SU.log
echo "command = su $1 $2" >> /root/Security/$fileD-SU.log
echo "" >> /root/Security/$fileD-SU.log
/usr/bin/su.hp
exit
fi

Anil
There is no substitute to HARDWORK
Reply
Manuel Contreras
Regular Advisor

‎02-16-2005 08:46 AM

‎02-16-2005 08:46 AM

Re: modify systems "su" for monitoring reasons?

Anil,
Sweet...after a quick "o" change your idea is looking quite promising :)


Patrick,
Sudo is quite the life saver, has helped me a great deal w/providing access to support personnel.
Highly recommended...


I guess additional su monitoring is common in non-trusted envs?

thanks for the input,
manuel
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎02-16-2005 08:48 AM

‎02-16-2005 08:48 AM

Re: modify systems "su" for monitoring reasons?

Make absolutely sure you have a backup of your modified su somewhere.

IF/WHEN you install patches, and if/when a patch happens to modify 'su', then your modified su script will be overwritten by the patched su. If you forget and don't check after EVERY patch install, then the information you require will not get logged.

I don't like replacing system executables for exactly that reason.
0 Kudos
Reply
Manuel Contreras
Regular Advisor

‎02-16-2005 08:56 AM

‎02-16-2005 08:56 AM

Re: modify systems "su" for monitoring reasons?

Already done, for exactly that reason...good look'n out!

manuel
0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

‎02-16-2005 09:53 AM

‎02-16-2005 09:53 AM

Re: modify systems "su" for monitoring reasons?

manuel,

at one site they also ran a modified version of su, and from my experience there I can just say You're right about that this is a less-than-optimal way.

usually, every su to root generates a syslog entry anyway, so You might be better off dedicating a cheap (but raid-supporting) pc box as a central loghost with no external access.

also, using a trusted system will pay off in the long term, unless You find the process of writing a wrapper script about everything that out to be monitored very intriguing :)
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
Mic V.
Esteemed Contributor

‎02-16-2005 03:54 PM

‎02-16-2005 03:54 PM

Re: modify systems "su" for monitoring reasons?

I'd also suggest sudo. I've used it for a long time and found it very valuable. I've also used restricted SAM to give certain people certain tasks (I wrote my own stuff for SAM to call).

If it's been requested to track su work because problems are occurring, perhaps a non-technical solution is in order. What I'm wondering is "why monitor now?" If it's because people are su'ing and not cooperating nicely, perhaps management needs to get together and work out the problem -- in addition to something like sudo or your script.

Just my $.02.

Mic
What kind of a name is 'Wolverine'?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.