Hi,
Is there a way to audit users who do:
su -
and
1.) log to a file or
2.) send this failed/successful attempts a snmp/syslog server...?
In aix audit the streams.out only list the login part from the original telnet login. If you su to user2, then try su - to root, it still says youre as user1 AND NOT as user2.
event login status time command
S_PASSWD_READ user1 OK Tue Feb 06 18:35:00 2007 su
USER_SU user1 FAIL Tue Feb 06 18:35:02 2007 su
Here, I telnet in as user1 and then su - user2, then su - root. But the login still says user1 from the original telnet session user logging in. It should say user2.
event login status time command
--------------- -------- ----------- ------------------------ ---------
S_PASSWD_READ user1 OK Tue Feb 06 18:35:18 2007 su
USER_SU user1 FAIL Tue Feb 06 18:35:18 2007 su
start:
binmode = off
streammode =on
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
stream:
cmds = /etc/security/audit/streamcmds
classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,
PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir
system = USER_Change,GROUP_Change,USER_Create,GROUP_Create
default = login
init = USER_Login, USER_Logout, USER_Exit, USER_Logout
users:
root = general
user1 = general,init,system
--can anyone help.
thanks.
Is there a way to audit users who do:
su -
and
1.) log to a file or
2.) send this failed/successful attempts a snmp/syslog server...?
In aix audit the streams.out only list the login part from the original telnet login. If you su to user2, then try su - to root, it still says youre as user1 AND NOT as user2.
event login status time command
S_PASSWD_READ user1 OK Tue Feb 06 18:35:00 2007 su
USER_SU user1 FAIL Tue Feb 06 18:35:02 2007 su
Here, I telnet in as user1 and then su - user2, then su - root. But the login still says user1 from the original telnet session user logging in. It should say user2.
event login status time command
--------------- -------- ----------- ------------------------ ---------
S_PASSWD_READ user1 OK Tue Feb 06 18:35:18 2007 su
USER_SU user1 FAIL Tue Feb 06 18:35:18 2007 su
start:
binmode = off
streammode =on
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
stream:
cmds = /etc/security/audit/streamcmds
classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,
PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir
system = USER_Change,GROUP_Change,USER_Create,GROUP_Create
default = login
init = USER_Login, USER_Logout, USER_Exit, USER_Logout
users:
root = general
user1 = general,init,system
--can anyone help.
thanks.