Login or Register to Ask a Question and Join Our Community


Cybersecurity

Log Review- SU

 
Thread Tools Search this Thread
Special Forums Cybersecurity Log Review- SU
Prev   Next
# 3  
Old 09-22-2015
Our policy is that every use of su or sudo has to be explained. Just collecting the records and challenging is a good start, however I added something in to /etc/profile that tries to log all the commands too. There are certainly some flaws with it and it depends on people doing su - or su - username to run the profile and therefore be effective, but that has always been the habit here, so I got away with that.

There were various other application specific things embedded in the code but having stripped that out, I think this might still work:-
Code:
function lgcmd
{
 cur_cmd_seq=`fc -l -0 | cut -f1`
 if [ "$cur_cmd_seq" != "$prev_cmd_seq" ]
 then
    prev_cmd_seq="$cur_cmd_seq"
    /usr/bin/logger "on $PTS as `id -un`: `fc -l -0 | cut -f2-`"
 fi
}

prev_cmd_seq=                  # Set as null in case shell refuses unset variables
trap lgcmd DEBUG

You would need to determine the pseudo-terminal as $PTS but the rest gives you a fairly good trace to challenge people with.


I hope that this helps,
Robin
 
Login or Register to Ask a Question

Previous Thread | Next Thread

5 More Discussions You Might Find Interesting

1. IP Networking

Netsat output-Please review

Hello, Please review the output below and suggest if you notice the parameters going out of limit. netstat -p udp udp: 382735172 datagrams received 0 incomplete headers 0 bad data length fields 0 bad checksums 12519 dropped due to no socket ... (2 Replies)
Discussion started by: Vishal_dba
2 Replies

2. Post Here to Contact Site Administrators and Moderators

Please review this thread wrt o/p

https://www.unix.com/unix-dummies-questions-answers/117633-top-output-specific-process-file-2.html (2 Replies)
Discussion started by: methyl
2 Replies

3. Solaris

please review this cron syntax

Dears if i want to run this job every Saturday at 6 AM that will be the code * 6 * * 1 cd /export/home/jenova ; ls -ltr >> $HOME/jenova_dir (2 Replies)
Discussion started by: jenovaux
2 Replies

4. Shell Programming and Scripting

Please, review script.

Hi guys, I 've been brewing this shellscript, but I can't test it until next tuesday. In the meantime I am too curious wether it will work or not, so I'd like to hear your comments. Background: I want to watch the user quota for mailboxes in various email-domains on a IMAP-server. I have... (1 Reply)
Discussion started by: algernonz
1 Replies

5. UNIX for Dummies Questions & Answers

Where can I review the source code?

A very n00b question: After compiling and installing software, where does the original source code reside? I'd like to study the source code of some of the ports I've installed. Thanks! :D (1 Reply)
Discussion started by: Aaron Van
1 Replies
Login or Register to Ask a Question

LEARN ABOUT SUNOS

sulog

sulog(4)							   File Formats 							  sulog(4)

NAME

       sulog - su command log file

SYNOPSIS

       /var/adm/sulog

DESCRIPTION

       The  sulog file is a record of all attempts by users on the system  to execute the su(1M) command.  Each time  su(1M) is executed, an entry
       is added to the sulog file.

       Each entry in the sulog file is a single line of the form:

	      SU date time
	      result port user-newuser

       where

       date	       The month and date su(1M) was executed.	date is displayed in the form  mm/dd where  mm is the month number and dd  is  the
		       day number in the month.

       time	       The  time   su(1M) was executed. time is displayed in the form  HH/MM where  HH is the hour number (24 hour system) and	MM
		       is the minute number.

       result	       The result of the  su(1M) command.  A ` + ' sign is displayed in this field if the su attempt was successful; otherwise	 a
		       ` - ' sign is displayed.

       port	       The name of the terminal device from which  su(1M) was executed.

       user	       The user id of the user executing the  su(1M) command.

       newuser	       The user id being switched to with  su(1M).

EXAMPLES

       Example 1: A sample sulog file.

       Here is a sample sulog file:

       SU 02/25 09:29 + console root-sys
       SU 02/25 09:32 + pts/3 user1-root
       SU 03/02 08:03 + pts/5 user1-root
       SU 03/03 08:19 + pts/5 user1-root
       SU 03/09 14:24 - pts/5 guest3-root
       SU 03/09 14:24 - pts/5 guest3-root
       SU 03/14 08:31 + pts/4 user1-root

FILES

       /var/adm/sulog	       su log file

       /etc/default/su	       contains the default location of  sulog

SEE ALSO

       su(1M)

SunOS 5.10							    6 Jun 1994								  sulog(4)