Operating System - HP-UX
1833875 Members
1992 Online
110063 Solutions
New Discussion

Re: SU_ROOT_GROUP and logging

 
SOLVED
Go to solution
Rick Garland
Honored Contributor

SU_ROOT_GROUP and logging

Hi all:

HPUX 11.00
L2000

I am finding that the /etc/default/security file is working (to some extent) on 11.00 non-trusted. Am using the SU_ROOT_GROUP variable and it is fuctioning.

But is there a logging facility somewhere that shows failed attempts by non-group members to become root? The sulog will show successes but what about the failures? The non-group user would receive the "not a member of the SU_ROOT_GROUP" message but is there is log file that captures this info - to see who tried and when?

At this stage I would definitely say that SUDO has much better logging.


6 REPLIES 6
Pete Randall
Outstanding Contributor
Solution

Re: SU_ROOT_GROUP and logging

Rick,

To the best of my knowledge, that information is not logged. The security file covers several different aspects of "security" from minimum password length to number of logins allowed. Some of these obviously don't lend themselves to logging and there seems to have been no attempt to incorporate a logging facility for those few that lend themselves to it.

I would have to agree with your asseessment of SUDO logging.


Pete


Pete
Uday_S_Ankolekar
Honored Contributor

Re: SU_ROOT_GROUP and logging

/var/adm/sulog should capture both successful and unsucessful su login record.

+ sign indicates successful and - sign is failed su logs in sulog.
-USA..
Good Luck..
Jeff Schussele
Honored Contributor

Re: SU_ROOT_GROUP and logging

Hi Rick,

By default all su attempts are logged into the standard /var/adm/syslog/syslog.log

Successful attempts look like

Jul 18 08:53:02 hostname su: + tc user1-root

Unsuccessful attempts like

Jul 18 08:53:08 hostname su: - td user1-root

Note that the terminal (tc / td) is logged as well, but the key is plus or minus.

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Paul Sperry
Honored Contributor

Re: SU_ROOT_GROUP and logging

the command lastb, if you use the -R switch it will tell you where the attempt is coming from, will give you a list of bad logins. Bad login attempts are logged in /var/adm/btmp. Make sure that file is readable only by root because sometimes it contains passwords.

lastb -R | head (For the last 10 bad attempts.)

lastb -R root (To see all bad attempts as root.)
Pete Randall
Outstanding Contributor

Re: SU_ROOT_GROUP and logging

Rick,

I had to test it for myself. Both Uday and Jeff are absolutely right. You should see the failed attempt (indicated by a minus sign) in /var/adm/sulog.

But I still think you're right about sudo logging.


Pete


Pete
Rick Garland
Honored Contributor

Re: SU_ROOT_GROUP and logging

I have found the entries in the sulog and see the difference between successful and unsuccessful. With the use of the SU_ROOT_GROUP
and trying to track users to try, I am scouting to see if how I can provide an audit of these bahaviors.

I see what I would need to do - parse through the sulog file and find all entries for su - root. With each of these individual entries check the username and see if the username is NOT a member of the SU_ROOT_GROUP. Report these items to us sysadmins.

I like the SUDO logging better but I still want the access to su - to still have a password prompt. SUDO does not do this. Or does it?