January 23, 2006, 9:49 AM — Send in your Unix questions today!
See additional Unix tips and tricks
One of the things that every Unix systems administrator needs to know to properly manage a Unix system is who else is using the powers of root. Without that knowledge, it is not possible to be confident that the system's configuration will remain stable, that the cause of problems can be tied down to specific actions or who else might be given root access. It's also essential to know who is trying, but failing, to use the root account and who is using another user's account. Since one of the essential rules of any good Unix security policy is that no one knows another user's password, we probably want to know when this policy is being violated. If we can't be sure who is using each login, accountability on our systems in non-existent.
While a stealthy individual who has captured the root password will likely be adept at covering his tracks, more benign individuals who try to assume root control on a system will be revealed in the system's sulog file -- the system's record of all attempts by users on to execute the su command. Many Unix systems will log su activity to the sulog file by default. The locations of the sulog file depends on which type of Unix you are using. On Solaris, the location of the sulog file is specified in /etc/default/su and is /var/adm/sulog by default as illustrated in this snippet:
# SULOG determines the location of the file used to log all su attempts
If you are working on a Linux system, check for a file named /etc/logins.defs that may define whether su logging is enabled. The default location for the sulog file on Linux systems is usually /var/log/sulog.
To give you an idea what sulog entries can tell you, let's look at a couple of sample entries:
SU 01/19 17:41 - pts/1 jdoe-root
SU 01/20 11:17 + pts/1 jdoe-slee