Unix Tip: Tracking su Activity
Send in your Unix questions today!
See additional Unix tips and tricks
One of the things that every Unix systems administrator needs to know to properly manage a Unix system is who else is using the powers of root. Without that knowledge, it is not possible to be confident that the system's configuration will remain stable, that the cause of problems can be tied down to specific actions or who else might be given root access. It's also essential to know who is trying, but failing, to use the root account and who is using another user's account. Since one of the essential rules of any good Unix security policy is that no one knows another user's password, we probably want to know when this policy is being violated. If we can't be sure who is using each login, accountability on our systems in non-existent.
While a stealthy individual who has captured the root password will likely be adept at covering his tracks, more benign individuals who try to assume root control on a system will be revealed in the system's sulog file -- the system's record of all attempts by users on to execute the su command. Many Unix systems will log su activity to the sulog file by default. The locations of the sulog file depends on which type of Unix you are using. On Solaris, the location of the sulog file is specified in /etc/default/su and is /var/adm/sulog by default as illustrated in this snippet:
# SULOG determines the location of the file used to log all su attempts
#
SULOG=/var/adm/sulog
If you are working on a Linux system, check for a file named /etc/logins.defs that may define whether su logging is enabled. The default location for the sulog file on Linux systems is usually /var/log/sulog.
To give you an idea what sulog entries can tell you, let's look at a couple of sample entries:
SU 01/19 17:41 - pts/1 jdoe-root
SU 01/20 11:17 + pts/1 jdoe-slee
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
help
hi would you please explain everything in detail on these scripting i am a newbie on unix and scripting as well but i would like to learn more and understand every detail.i want to do the same script but using bash.addition
And i will also like to direct the results to my email.