Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: sudo or su logging
Operating Systems HP-UX sudo or su logging Post 302214642 by Ikon on Monday 14th of July 2008 01:22:30 PM
Old 07-14-2008
sudo or su logging
Jul 14 08:02:40 servera sshd[18240]: Accepted keyboard-interactive/pam for someuser from x.x.x.x port 1406 ssh2
Jul 14 08:02:48 servera su: - 1 someuser-root
Jul 14 08:03:03 servera sudo: someuser : TTY=pts/1 ; PWD=/home/someuser ; USER=root ; COMMAND=/usr/bin/su -
Jul 14 08:03:03 servera su: + 1 someuser-root

Line 1 - SSH to the server
Line 2 - invalid password "sudo su -"
Line 3,4 - Successful "sudo su -"

I would like to beable to link a failed "sudo su -" to the ssh login, but there is no data other than username.

If a user is logged in multiple times or from multiple locations there is no way to differenciate the logins.

We currently have a report emailed to us letting us know this data to determine if someusers are trying to run commands they are not supposed to, but management wants more info, like hostname and/or IP address of the user at the time the command was run.

Anyone have any ideas how to add log details for sudo or su?

sudolog only shows:
SU 07/14 08:17 + 0 someuser-root
SU 07/14 08:53 + 1 someuser-root
syslog.log only show:
Jul 14 08:02:40 servera sshd[18240]: Accepted keyboard-interactive/pam for someuser from x.x.x.x port 1406 ssh2
Jul 14 08:02:48 servera su: - 1 someuser-root
Jul 14 08:03:03 servera sudo: someuser : TTY=pts/1 ; PWD=/home/someuser ; USER=root ; COMMAND=/usr/bin/su -
Jul 14 08:03:03 servera su: + 1 someuser-root

Thanks,
Kyle
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Logging all commands after a sudo su-

Hi there, It might seem tricky, I confess. We use sudo to allow people to initiate priviledged commands (but not all commands) on our Unix systems. To by pass this, some people initiate the sudo su - command ; The main issue is to 'know' what those people do when they gain root access.... (4 Replies)
Discussion started by: linuxmtl
4 Replies

2. UNIX for Dummies Questions & Answers

sudo logging + NFS hang?

Hi all, I have two problems, My system is SunOS 5.9: 1- I have installed sudo but I have a problem logging user activities on other hosts, the way I installed it is that I installed sudo and the sudoers file in a shared directory on a NFS server which is mounted by all computers on the... (1 Reply)
Discussion started by: neked
1 Replies

3. UNIX for Dummies Questions & Answers

Unable to use the Sudo command. "0509-130 Symbol resolution failed for sudo because:"

Hi! I'm very new to unix, so please keep that in mind with the level of language used if you choose to help :D Thanks! When attempting to use sudo on and AIX machine with oslevel 5.1.0.0, I get the following error: exec(): 0509-036 Cannot load program sudo because of the following errors:... (1 Reply)
Discussion started by: Chloe123
1 Replies

4. AIX

sudo log and sudo auditing

Sudo In AIX, how to find out what commands have been run after a user sudo to another user? for example, user sam run 'sudo -u robert ksh' then run some commands, how can I (as root) find what commands have been run? sudo.log only contains sudo event, no activity logging. (3 Replies)
Discussion started by: jalite19
3 Replies

5. UNIX for Advanced & Expert Users

change io logging directory sudo 1.7.4p6

There was an update in sudo 1.7.5 : -The I/O log directory may now be specified in the sudoers file. I am stuck using sudo 1.7.4p6. Because it is supported by HP on thier HP-UX builds. Is there a process to change this directory in sudo 1.7.4p6? currently sudo 1.7.4p6's default is... (3 Replies)
Discussion started by: trimike
3 Replies

6. Shell Programming and Scripting

ssh foo.com sudo command - Prompts for sudo password as visible text. Help?

I am writing a BASH script to update a webserver and then restart Apache. It looks basically like this: #!/bin/bash rsync /path/on/local/machine/ foo.com:path/on/remote/machine/ ssh foo.com sudo /etc/init.d/apache2 reloadrsync and ssh don't prompt for a password, because I have DSA encryption... (9 Replies)
Discussion started by: fluoborate
9 Replies

7. Shell Programming and Scripting

sudo: sorry, you must have a tty to run sudo

Hi All, I running a unix command using sudo option inside shell script. Its working well. But in crontab the same command is not working and its throwing "sudo: sorry, you must have a tty to run sudo". I do not have root permission to add or change settings for my userid. I can not even ask... (9 Replies)
Discussion started by: Apple1221
9 Replies

8. Shell Programming and Scripting

sudo: sorry, you must have a tty to run sudo

Hi, Have a need to run the below command as a "karuser" from a java class which will is running as "root" user. When we are trying to run the below command from java code getting the below error. Command: sudo -u karuser -s /bin/bash /bank/karunix/bin/build_cycles.sh Error: sudo: sorry,... (8 Replies)
Discussion started by: Satyak
8 Replies

9. Solaris

Sudo logging need year details also

Hi All I have a requirement in which during sudo logging, I must get the year details also in sudo log file. As below output is not mentioning the year due to this I will not able to idenfiy that this log belong to 2012 or 2011 or 2010 Dec 12 11:30:21 XYZ sudo: user1 : TTY=pts/5 ;... (4 Replies)
Discussion started by: sb200
4 Replies

10. Linux

Syslog not logging successful logging while unlocking server's console

When unlocking a Linux server's console there's no event indicating successful logging Is there a way I can fix this ? I have the following in my rsyslog.conf auth.info /var/log/secure authpriv.info /var/log/secure (1 Reply)
Discussion started by: walterthered
1 Replies

LEARN ABOUT OSX

heimdal_debug

heimdal_debug(5)					      BSD File Formats Manual						  heimdal_debug(5)

NAME

     heimdal_debug -- how to turn on/off debugging for Kerberos tools

DESCRIPTION

     The heimdal_debug kerberos frameworks have several knobs for controlling logging.	The different framework knobs are:

     libkrb
	  The Kerberos library, some gss-api Kerberos output ends up here too

     kcm  the kcm library (credentials cache, ntlm client)

     kdc  the kerberos KDC output

     digest-service
	  the digest service (ntlm server)

CONFIGURATION FILE

	  [logging]
		  <subsystem> = 0-/SYSLOG:
     and watch syslog for logging information.

APPLE MAC OS X

     First turn up syslog debugging
	   sudo syslog -c 0 -d
     then you can see the syslog output in Console.app or by running
	   syslog -w -k org.h5l.asl
     To enable more extensive debugging logging for each subsystem, use the following commands:

	   Kerberos Library
		sudo defaults write /Library/Preferences/com.apple.Kerberos logging -dict-add krb5 '0-/ASL:'

	   digest-server
		sudo defaults write /Library/Preferences/com.apple.Kerberos logging -dict-add digest-service '0-/ASL:'

	   kcm	sudo defaults write /Library/Preferences/com.apple.Kerberos logging -dict-add kcm '0-/ASL:'

	   kdc	sudo defaults write /Library/Preferences/com.apple.Kerberos logging -dict-add kdc '0-/ASL:'

	   MIT Kerberos Shim
		defaults write com.apple.MITKerberosShim EnableDebugging -bool true

	   GSS-API framework logging
		sudo defaults write /Library/Preferences/com.apple.GSS DebugLevel -int 10

Other options on Mac OS X
	  Make the admin API pretend to the server even on client
	       sudo defaults write /Library/Preferences/com.apple.Kerberos ForceHeimODServerMode -bool true

SEE ALSO

     gss(5), kerberos(8)

HEIMDAL 
							   Sep 30, 2011 							   HEIMDAL
All times are GMT -4. The time now is 11:47 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy