Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Trace su to root
Operating Systems AIX Trace su to root Post 302843518 by MichaelFelt on Tuesday 13th of August 2013 03:05:41 PM
Old 08-13-2013
su, and the sulog, assumes that the user is already logged in - so their is no IP address - other than their login shell.

The danger of relying on sulog is that is only fairly certain to tell about the failed attempts - as long as they are only failures. Once successful, a good (at it) hacker will edit that file - removing their entries.

1) to get IP addresses you will need to use the audit mechanism. I will look into that - thanks for the topic for my next blog :wink:,

2) to protect your logs you will need something to make them trustable. The solution "used to be" expensive tamper-proof, or near tamper-proof (such as WORM - write-once-read-many) devices. But this are hard (next to impossible) to attach to all virtual machines (aka LPAR/partition). The solution for AIX is to use the "Trusted Log" component of POWERSC.

Hope this helps - and thanks again for the blog idea.

Michael
This User Gave Thanks to MichaelFelt For This Post:
sprehodec
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Trace connections

In my organization in order for anyone to go to any Unix server they have to go through "SERVER A" and login as themselves. Then people are free to go enywhere they please. For example: SERVER A, loggs in as himself telnets to SERVER B, loggs in as guest telnets to SERVER C, loggs in as... (8 Replies)
Discussion started by: jraitsev
8 Replies

2. UNIX for Dummies Questions & Answers

Run non-root script as root with non-root environment

All, I want to run a non-root script as the root user with non-root environment variables with crontab. The non-root user would have environment variables for database access such as Oracle or Sybase. The root user does not have the Oracle or Sybase enviroment variables. I thought you could do... (2 Replies)
Discussion started by: bubba112557
2 Replies

3. IP Networking

trace route ip

hi everybody , i have a solaris 5.6 box and i want to trace the route on an ip i treid traceroute but soalris 5.6 does not support it ... is there a command that can be used equivelent to traceroute ? thanks for your help (2 Replies)
Discussion started by: ppass
2 Replies

4. UNIX for Dummies Questions & Answers

Trace DHCP - Help!

Can someone help me with commands to trace DHCP on an HP_UX box? Thanks! (0 Replies)
Discussion started by: nuGuy
0 Replies

5. HP-UX

how to trace the logs

Hi, Last day, In one of our unix boxes there was an issue wherein few of the directory structures were missing / got deleted. Is there any way by which we can find how it happened, I mean by going through syslog / which user had run what command? Thanks for your help (3 Replies)
Discussion started by: vivek_damodaran
3 Replies

6. Shell Programming and Scripting

how to supress the trace

Hi I am working in ksh and getting the trace after trying to remove the file which in some cases does not exist: $ my_script loadfirm.dta.master: No such file or directory The code inside the script which produces this trace is the following: ] || rm ${FILE}.master >> /dev/null for... (3 Replies)
Discussion started by: aoussenko
3 Replies

7. UNIX for Dummies Questions & Answers

How to trace root's activity log

What is the command to check the activity of all users with root access on a Unix platform? Right now, there is like about 20 users with root and someone accidentally made some changes to the crontab and I need to trace which user did it. (5 Replies)
Discussion started by: hedkandi
5 Replies

8. Solaris

Migration of system having UFS root FS with zones root to ZFS root FS

Hi All After downloading ZFS documentation from oracle site, I am able to successfully migrate UFS root FS without zones to ZFS root FS. But in case of UFS root file system with zones , I am successfully able to migrate global zone to zfs root file system but zone are still in UFS root file... (2 Replies)
Discussion started by: sb200
2 Replies

9. UNIX for Dummies Questions & Answers

Help with trace file

Hi, I am an oracle DBA pretty new to unix. We had one of the filesystems full and a colleague cleared some stuffs to create more space. I just checked now and found there is now more space available. How do i find exactly what he cleared? We have oracle database installed and its a RAC... (4 Replies)
Discussion started by: dollypee
4 Replies

10. Shell Programming and Scripting

Stack Trace

Hi All Thought it would be kind of fun to implement a stack trace for a shell script that calls functions within a sub shell. This is for bash under Linux and probably not portable - #! /bin/bash error_exit() { echo "=======================" echo $1 echo... (4 Replies)
Discussion started by: steadyonabix
4 Replies

LEARN ABOUT SUNOS

su

su(1M)							  System Administration Commands						    su(1M)

NAME

       su - become superuser or another user

SYNOPSIS

       su [-] [ username  [ arg...]]

DESCRIPTION

       The su command allows one to become another user without logging off or to assume a role. The default user name is root (superuser).

       To  use	su,  the  appropriate password must be supplied (unless the invoker is already root). If the password is correct, su creates a new
       shell process that has the real and effective user ID, group IDs, and supplementary group list set to  those  of  the  specified  username.
       Additionally,  the  new	shell's  project  ID is set to the default project ID of the specified user. See getdefaultproj(3PROJECT), setpro-
       ject(3PROJECT).	The new shell will be the shell specified in the shell field of username's password file  entry  (see  passwd(4)).  If	no
       shell is specified, /usr/bin/sh is used (see sh(1)).  If superuser privilege is requested and the shell for the superuser cannot be invoked
       using exec(2), /sbin/sh is used as a fallback. To return to normal user ID privileges, type an EOF character (<CTRL-D>)	to  exit  the  new
       shell.

       Any  additional	arguments  given  on  the  command line are passed to the new shell. When using programs such as sh, an arg of the form -c
       string executes string using the shell and an arg of -r gives the user a restricted shell.

       To create a login environment, the command "su -" does the following:

	 o  In addition to what is already propagated, the LC* and LANG environment variables from the specified user's environment are also prop-
	    agated.

	 o  Propagate TZ from the user's environment. If TZ is not found in the user's environment, su uses the TZ value from the TIMEZONE parame-
	    ter found in /etc/default/login.

	 o  Set MAIL to /var/mail/new_user.

       If the first argument to su is a dash (-), the environment will be changed to what would be expected if the user actually logged in as  the
       specified  user.  Otherwise,  the  environment  is  passed  along,  with the exception of $PATH,  which is controlled by PATH and SUPATH in
       /etc/default/su.

       All attempts to become another user using su are logged in the log file /var/adm/sulog (see sulog(4)).

SECURITY

       su uses pam(3PAM) with the service name su for authentication, account management, and credential establishment.

EXAMPLES

       Example 1: Becoming User bin While Retaining Your Previously Exported Environment

       To become user bin while retaining your previously exported environment, execute:

       example% su bin

       Example 2: Becoming User bin and Changing to bin's Login Environment

       To become user bin but change the environment to what would be expected if bin had originally logged in, execute:

       example% su - bin

       Example 3: Executing command with user bin's Environment and Permissions

       To execute command with the temporary environment and permissions of user bin, type:

       example% su - bin -c "command args"

ENVIRONMENT VARIABLES

       Variables with LD_ prefix are removed for security reasons. Thus, su bin will not retain previously  exported  variables  with  LD_  prefix
       while becoming user bin.

       If any of the LC_* variables ( LC_CTYPE, LC_MESSAGES, LC_TIME, LC_COLLATE, LC_NUMERIC, and LC_MONETARY) (see environ(5)) are not set in the
       environment, the operational behavior of su for each corresponding locale category is determined by the value of the LANG environment vari-
       able.  If  LC_ALL  is set, its contents are used to override both the LANG and the other LC_* variables. If none of the above variables are
       set in the environment, the "C" (U.S. style) locale determines how su behaves.

       LC_CTYPE        Determines how su handles characters. When LC_CTYPE is set to a valid value, su can display and handle text  and  filenames
		       containing  valid characters for that locale. su can display and handle Extended Unix Code (EUC) characters where any indi-
		       vidual character can be 1, 2, or 3 bytes wide. su can also handle EUC characters of 1, 2, or more column widths. In the "C"
		       locale, only characters from ISO 8859-1 are valid.

       LC_MESSAGES     Determines how diagnostic and informative messages are presented. This includes the language and style of the messages, and
		       the correct form of affirmative and negative responses. In the "C" locale, the messages are presented in the  default  form
		       found in the program itself (in most cases, U.S. English).

FILES

       $HOME/.profile	       user's login commands for sh and ksh

       /etc/passwd	       system's password file

       /etc/profile	       system-wide sh and ksh login commands

       /var/adm/sulog	       log file

       /etc/default/su	       the default parameters in this file are:

			       SULOG	       If defined, all attempts to su to another user are logged in the indicated file.

			       CONSOLE	       If defined, all attempts to su to root are logged on the console.

			       PATH	       Default path. (/usr/bin:)

			       SUPATH	       Default path for a user invoking su to root. (/usr/sbin:/usr/bin)

			       SYSLOG	       Determines  whether  the  syslog(3C)  LOG_AUTH  facility  should  be  used  to log all su attempts.
					       LOG_NOTICE messages are generated for su's to root, LOG_INFO messages are  generated  for  su's	to
					       other users, and LOG_CRIT messages are generated for failed su attempts.

       /etc/default/login      the default parameters in this file are:

			       TIMEZONE        Sets the TZ environment variable of the shell.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWcsu			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       csh(1),	env(1),  ksh(1),  login(1),  roles(1),	sh(1),	syslogd(1M),  exec(2),	getdefaultproj(3PROJECT), setproject(3PROJECT), pam(3PAM),
       pam_authenticate(3PAM), pam_acct_mgmt(3PAM), pam_setcred(3PAM), pam.conf(4), passwd(4), profile(4),  sulog(4),  syslog(3C),  attributes(5),
       environ(5)

SunOS 5.10							    26 Feb 2004 							    su(1M)
All times are GMT -4. The time now is 02:22 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy