HPE Community
Operating System - HP-UX
1832994 Members
2223 Online
110048 Solutions
New Discussion

trapping attempts to assume identity of another user

 
Akhil
Occasional Advisor

‎08-09-2001 08:49 AM

‎08-09-2001 08:49 AM

trapping attempts to assume identity of another user

Hi,

I have two questions

1. What are the various ways by which a user can attempt to assume the identity/permissions of another user?

2. What are the ways to trap those successful and unsuccessful attempts?

Thanx
Akhil
0 Kudos
Reply
9 REPLIES 9
melvyn burnard
Honored Contributor

‎08-09-2001 08:54 AM

‎08-09-2001 08:54 AM

Re: trapping attempts to assume identity of another user

One way is that they can use the su (Switch User) command.
man su

this logs to the sulog known as /var/adm/sulog

Also it logs it into syslog.log if I remember correctly.
There are of course many other additional pieces of software you could install, such as sudo, and these will log differently
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
0 Kudos
Reply
Akhil
Occasional Advisor

‎08-09-2001 09:04 AM

‎08-09-2001 09:04 AM

Re: trapping attempts to assume identity of another user

Thanx Melvyn,

I am aware of "su" and "/var/adm/sulog", but what i wanted to know was other ways to assume the identity and trapping that attempt, successful or unsuccessful.

Thanx
Akhil
0 Kudos
Reply
Akhil
Occasional Advisor

‎08-09-2001 09:11 AM

‎08-09-2001 09:11 AM

Re: trapping attempts to assume identity of another user

Another way which i can think of is "login" command. Is there anyway to trap this?
0 Kudos
Reply
Mark Vollmers
Esteemed Contributor

‎08-09-2001 09:22 AM

‎08-09-2001 09:22 AM

Re: trapping attempts to assume identity of another user

What do you mean by trapping? If you want to prevent people from doing this (the login command or su or whatever), you can always modify the shell to either lock out these commands or to have the commands do something else (log any attempts, etc).

Mark
"We apologize for the inconvience" -God's last message to all creation, from Douglas Adams "So Long and Thanks for all the Fish"
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎08-09-2001 09:39 AM

‎08-09-2001 09:39 AM

Re: trapping attempts to assume identity of another user


If the setuid bit is on an executable, say ksh, and the owner of the file is another user, then yes, they can "become" that user.
Live Free or Die
0 Kudos
Reply
Akhil
Occasional Advisor

‎08-09-2001 10:32 AM

‎08-09-2001 10:32 AM

Re: trapping attempts to assume identity of another user

I want to send an alarm as and when the attempt, successful or unsuccessful, is made to assume another user's identity, maybe using any method e.g using "su", "suidbit" or " login"

thanx
0 Kudos
Reply
Sundar_7
Honored Contributor

‎08-10-2001 04:48 AM

‎08-10-2001 04:48 AM

Re: trapping attempts to assume identity of another user

Hi Akhil,

U can consider doing the following things..

* If U want to trap unsuccessful 'su' attempts

Pls have a look at

/var/adm/sulog file with

-

User1 is trying to switch to User2 but he

failed to give the correct password..

SO U can write a simple script to analyze

the log and create an report..

* If U want to trap Unsuccsful login attempts

then U can user "lastb" command..

Also U can enable "auditing" and audit

the unsuccessful login attempts

What else U need ?

Sundar
Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
Akhil
Occasional Advisor

‎08-11-2001 05:30 AM

‎08-11-2001 05:30 AM

Re: trapping attempts to assume identity of another user

Suppose, my login-id is 'akhil' and I login with this id and I am currently in my home directory '/home/akhil'

From my home directory I try 2 things:
1.'su' to another id 'james'
2.'login' to another id 'james'

Now, How do I send an alarm for each of these attempts, regardless of whether it is unsuccessful or successful.

The alarm should be such that it says that id 'akhil' trying to assume id of 'james'.

Thanx
0 Kudos
Reply
Wodisch
Honored Contributor

‎08-11-2001 08:00 AM

‎08-11-2001 08:00 AM

Re: trapping attempts to assume identity of another user

Hello Akhil,

you can monitor the "sulog" with something like
the followinf script running in the background:

#!/usr/bin/sh
nohup tail -f /var/adm/sulog | while read line; do
echo $line | mailx -s"SU" akhil
done

or you may write your own "PAM" module to it
(that's "Pluggable Authentication Module" - see man
page on "pam.conf").

HTH,
Wodisch
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.