- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: SU_ROOT_GROUP and logging
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2003 10:58 AM
07-18-2003 10:58 AM
HPUX 11.00
L2000
I am finding that the /etc/default/security file is working (to some extent) on 11.00 non-trusted. Am using the SU_ROOT_GROUP variable and it is fuctioning.
But is there a logging facility somewhere that shows failed attempts by non-group members to become root? The sulog will show successes but what about the failures? The non-group user would receive the "not a member of the SU_ROOT_GROUP" message but is there is log file that captures this info - to see who tried and when?
At this stage I would definitely say that SUDO has much better logging.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2003 11:04 AM
07-18-2003 11:04 AM
SolutionTo the best of my knowledge, that information is not logged. The security file covers several different aspects of "security" from minimum password length to number of logins allowed. Some of these obviously don't lend themselves to logging and there seems to have been no attempt to incorporate a logging facility for those few that lend themselves to it.
I would have to agree with your asseessment of SUDO logging.
Pete
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2003 11:09 AM
07-18-2003 11:09 AM
Re: SU_ROOT_GROUP and logging
+ sign indicates successful and - sign is failed su logs in sulog.
-USA..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2003 11:12 AM
07-18-2003 11:12 AM
Re: SU_ROOT_GROUP and logging
By default all su attempts are logged into the standard /var/adm/syslog/syslog.log
Successful attempts look like
Jul 18 08:53:02 hostname su: + tc user1-root
Unsuccessful attempts like
Jul 18 08:53:08 hostname su: - td user1-root
Note that the terminal (tc / td) is logged as well, but the key is plus or minus.
HTH,
Jeff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2003 11:21 AM
07-18-2003 11:21 AM
Re: SU_ROOT_GROUP and logging
lastb -R | head (For the last 10 bad attempts.)
lastb -R root (To see all bad attempts as root.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2003 11:22 AM
07-18-2003 11:22 AM
Re: SU_ROOT_GROUP and logging
I had to test it for myself. Both Uday and Jeff are absolutely right. You should see the failed attempt (indicated by a minus sign) in /var/adm/sulog.
But I still think you're right about sudo logging.
Pete
Pete
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2003 12:07 PM
07-18-2003 12:07 PM
Re: SU_ROOT_GROUP and logging
and trying to track users to try, I am scouting to see if how I can provide an audit of these bahaviors.
I see what I would need to do - parse through the sulog file and find all entries for su - root. With each of these individual entries check the username and see if the username is NOT a member of the SU_ROOT_GROUP. Report these items to us sysadmins.
I like the SUDO logging better but I still want the access to su - to still have a password prompt. SUDO does not do this. Or does it?