In my organization in order for anyone to go to any Unix server they have to go through "SERVER A" and login as themselves.

Then people are free to go enywhere they please.

For example:

SERVER A, loggs in as himself
telnets to SERVER B, loggs in as guest
telnets to SERVER C, loggs in as root
telnets to SERVER A, loggs in as root
telnets to SERVER D, loggs in as user
telnets to SERVER Y, loggs in as root

when i run 'who' on "SERVER Y" i see 20 roots logged in.

I want to be able to trace 1 particular root back to SERVER A, where he logged on as himself

Thanks for all help and suggestions.

James

Root logins are generally considered to be a major no-no, for the very reason you state in your post. It is time consuming and sometimes difficult to determine who logged in as "root" at a given time, especially when 20 or more people have root access to your boxes. You may be able to sort it out but its not going to be fun.

The simple way to solve your main problem is to disallow root logins and force users to use su or sudo. Assuming they all need root access (doubtful but possible). When root access is needed for more than one command su leaves a message in the system log stating the user who su'd and the terminal they did it from.

Forget about roots, what if i have 20 'user' account on the box.
For example:

gfadm pts/0 Feb 12 08:38 (apdv1-26)
gfadm pts/7 Feb 12 15:32 (apdv1-26)
root pts/1 Feb 12 14:10 (apdv1-26)
gfadm pts/4 Feb 12 11:15 (gfbtap1)
gfadm pts/5 Feb 12 14:44 (gfbtap4)
root pts/16 Jan 25 12:38 (apdv1-26)
gfadm pts/12 Feb 8 08:44 (apdv1-26)

and i am interested in the last 'gfadm' on pts/12

how can i find our where did he come from and what was he logged on as?

Thanks!!

There may be an easier way to do this...but this is how I'd do it.
Use last to find the host the user in question is logged in from. Then go to that box and use 'ps' to determine who is telnetting to the box in question. If there is more than one person, The BOFH way would be to kill each process until the user in question mysteriously disappears from the target machine, but you probably dont want to do that. You can probably use a bit of common sense and login times etc to guess. Repeat this process until you reach machine A and the real username.

If the user has logged out it makes it more difficult.

Thank you very much for your reply.

I was thinking about doing exactly what you suggested, but was just wondering if there is an easier way to go about it.

There has to be.

If not - let's write it.

Seriously there are a lot of very smart people on this board, lets make it happen

What do you think?

IF ANYONE ELSE HAS TO OFFER ANOTHER SOLUTION, PLEASE SPEAK UP

From your posting you want to track users who are logging in as Root and what they are doing.

Easiest way is to block root from telneting in from remote connections. Force the users to login as themselves and then "su" over to root. You can then log all su attempts (successful and un-successful) and track the people backwards across the servers.

Basic Security rule is to only allow Root to login from the Console Terminal physically located at the server.

Are your people logging into the initial unix server from a PC?
What we do, is assign each PC a unique id. We can trace the login id via the PC id which shows up in the finger command.

Also, our system has /usr/var/adm/syslog.dated files.. which trace all root logins and what device they are coming from. You could then trace the device.


Hope this helps