UNIX for Advanced & Expert Users

I hope this is the correct forum - apologies to all if I am mistaken.

We are fairly sure someone has got access to the root password on one of our machines and is 'playing silly b*****rs' with it.

Due to local politics we can't easily get the password changed and we need to gather some info to get things changed.

Does anyone know if it is possible to track/trace/log the use of su (or any other command for that matter though su is the one we are most interested in)

We are using Linux - uname -a output below

Linux <hostname> 2.4.9-e.57enterprise #1 SMP Thu Dec 2 20:45:51 EST 2004 i686 unknown

Many thanks for any info/advice

Think there is an su log you can look at (assuming you have su logging switched on).

/var/log/sulog or /var/adm/sulog....

man sulog?

sulog is available for SunOS only, it's not present on Linux. Instead, you can look at "/var/log/secure" file, the format is :

ajcannon,
If someone got root once on your linux system then you're in trouble! Chance are he/she will be able to wipe out any suspicous activity such as root su/login etc...

But If the user is pretty dumb You can always alias the su command to log some info, something like

Code:

alias su='TOTO=`tty | sed -e 's,^/dev/,,'`; who -u |grep $TOTO>> /tmp/su.log; /bin/su'

Then you either don't comprehend the seriousness or don't care about security.

If you had a bull rampaging in your china shop would you be trying to find the farmer or trying to protect your merchendise?

Stuff the politics, there are bigger concerns than people's ego's.

It's a security issue.
Just change the root password.

Not sure if it's the case with all unix/linux systems, but on HP-UX you can restrict who can su to root (I called the group 'rooters') . If you're not in that group, then no can do.

Cheers,
Cameron

With NetBSD and some other systems you have to be a member of the "wheel" group.