Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

audit users logon attempts to su - root

Status
Not open for further replies.

newcg

Technical User
Feb 1, 2007
22
US
Hi,
Is there a way to audit users who do:
su -
and
1.) log to a file or
2.) send this failed/successful attempts a snmp/syslog server...?
In aix audit the streams.out only list the login part from the original telnet login. If you su to user2, then try su - to root, it still says youre as user1 AND NOT as user2.

event login status time command
S_PASSWD_READ user1 OK Tue Feb 06 18:35:00 2007 su
USER_SU user1 FAIL Tue Feb 06 18:35:02 2007 su

Here, I telnet in as user1 and then su - user2, then su - root. But the login still says user1 from the original telnet session user logging in. It should say user2.
event login status time command
--------------- -------- ----------- ------------------------ ---------
S_PASSWD_READ user1 OK Tue Feb 06 18:35:18 2007 su
USER_SU user1 FAIL Tue Feb 06 18:35:18 2007 su

start:
binmode = off
streammode =on

bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536

stream:
cmds = /etc/security/audit/streamcmds

classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,
PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir
system = USER_Change,GROUP_Change,USER_Create,GROUP_Create
default = login
init = USER_Login, USER_Logout, USER_Exit, USER_Logout

users:
root = general
user1 = general,init,system

--can anyone help.
thanks.
 
Basically, I need to know from which user to which user is the person trying to su to ? failed or succeed.
 
That's good. I can use that.
But is there a way to send this info to a syslog server/SNMP server when someone tried to su to / login to someone..? I need an alert/alarm when a su - root happens.
thanks.
 
I got it to work with syslog. thanks.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top