sudo or su logging


 
Thread Tools Search this Thread
Operating Systems HP-UX sudo or su logging
# 1  
Old 07-14-2008
sudo or su logging

Jul 14 08:02:40 servera sshd[18240]: Accepted keyboard-interactive/pam for someuser from x.x.x.x port 1406 ssh2
Jul 14 08:02:48 servera su: - 1 someuser-root
Jul 14 08:03:03 servera sudo: someuser : TTY=pts/1 ; PWD=/home/someuser ; USER=root ; COMMAND=/usr/bin/su -
Jul 14 08:03:03 servera su: + 1 someuser-root

Line 1 - SSH to the server
Line 2 - invalid password "sudo su -"
Line 3,4 - Successful "sudo su -"

I would like to beable to link a failed "sudo su -" to the ssh login, but there is no data other than username.

If a user is logged in multiple times or from multiple locations there is no way to differenciate the logins.

We currently have a report emailed to us letting us know this data to determine if someusers are trying to run commands they are not supposed to, but management wants more info, like hostname and/or IP address of the user at the time the command was run.

Anyone have any ideas how to add log details for sudo or su?

sudolog only shows:
SU 07/14 08:17 + 0 someuser-root
SU 07/14 08:53 + 1 someuser-root
syslog.log only show:
Jul 14 08:02:40 servera sshd[18240]: Accepted keyboard-interactive/pam for someuser from x.x.x.x port 1406 ssh2
Jul 14 08:02:48 servera su: - 1 someuser-root
Jul 14 08:03:03 servera sudo: someuser : TTY=pts/1 ; PWD=/home/someuser ; USER=root ; COMMAND=/usr/bin/su -
Jul 14 08:03:03 servera su: + 1 someuser-root

Thanks,
Kyle
# 2  
Old 07-15-2008
I to solve a similar request have added in /etc/profile:
LOG='who am i -R'
ME=$LOGNAME
(date;echo $ME;$LOG)|xargs >>/var/adm/logged_in

Then its just a question of looking at last, lastb syslog.log sudo.log sulog etc.. and logged_in to try to guess who is who at a given time
# 3  
Old 07-15-2008
I had considered that, but I have a problem with the "guess who is who at a given time". If one person is logged in frmo multiple locations you would never know who is who. In linux there is a log_host parameter to activate but not in HP-UX, that I have yet found.

I had considered renaming the sudo command and creating a script called sudo that the users would run that would write logs and the script would actually call the sudo command. But the problem is if the script would not complete until the sudo command was completed, so if the user ran 'sudo su -' and didnt logoff the final log entry wouldnt be written until they logged off, which there are some that stay logged in for days.
# 4  
Old 07-15-2008
And in the more delicate users profile (dedicated users for production etc... and root...)
# Set up the shell variables:
EDITOR=vi
export EDITOR

SUFF=`who am i -R| awk -F " " '{print $1"."$NF}'`
HISTFILE=$HOME/.sh_history.$SUFF
print -s "LOGIN - `date '+%m-%d-%E-%H:%M'`"
HISTSIZE=4098
export HISTFILE HISTSIZE
export ENV=$HOME/.kshrc

But this gives you more work (looking at all these new files and being sure you have enough space...)
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Linux

Syslog not logging successful logging while unlocking server's console

When unlocking a Linux server's console there's no event indicating successful logging Is there a way I can fix this ? I have the following in my rsyslog.conf auth.info /var/log/secure authpriv.info /var/log/secure (1 Reply)
Discussion started by: walterthered
1 Replies

2. Solaris

Sudo logging need year details also

Hi All I have a requirement in which during sudo logging, I must get the year details also in sudo log file. As below output is not mentioning the year due to this I will not able to idenfiy that this log belong to 2012 or 2011 or 2010 Dec 12 11:30:21 XYZ sudo: user1 : TTY=pts/5 ;... (4 Replies)
Discussion started by: sb200
4 Replies

3. Shell Programming and Scripting

sudo: sorry, you must have a tty to run sudo

Hi, Have a need to run the below command as a "karuser" from a java class which will is running as "root" user. When we are trying to run the below command from java code getting the below error. Command: sudo -u karuser -s /bin/bash /bank/karunix/bin/build_cycles.sh Error: sudo: sorry,... (8 Replies)
Discussion started by: Satyak
8 Replies

4. Shell Programming and Scripting

sudo: sorry, you must have a tty to run sudo

Hi All, I running a unix command using sudo option inside shell script. Its working well. But in crontab the same command is not working and its throwing "sudo: sorry, you must have a tty to run sudo". I do not have root permission to add or change settings for my userid. I can not even ask... (9 Replies)
Discussion started by: Apple1221
9 Replies

5. Shell Programming and Scripting

ssh foo.com sudo command - Prompts for sudo password as visible text. Help?

I am writing a BASH script to update a webserver and then restart Apache. It looks basically like this: #!/bin/bash rsync /path/on/local/machine/ foo.com:path/on/remote/machine/ ssh foo.com sudo /etc/init.d/apache2 reloadrsync and ssh don't prompt for a password, because I have DSA encryption... (9 Replies)
Discussion started by: fluoborate
9 Replies

6. UNIX for Advanced & Expert Users

change io logging directory sudo 1.7.4p6

There was an update in sudo 1.7.5 : -The I/O log directory may now be specified in the sudoers file. I am stuck using sudo 1.7.4p6. Because it is supported by HP on thier HP-UX builds. Is there a process to change this directory in sudo 1.7.4p6? currently sudo 1.7.4p6's default is... (3 Replies)
Discussion started by: trimike
3 Replies

7. AIX

sudo log and sudo auditing

Sudo In AIX, how to find out what commands have been run after a user sudo to another user? for example, user sam run 'sudo -u robert ksh' then run some commands, how can I (as root) find what commands have been run? sudo.log only contains sudo event, no activity logging. (3 Replies)
Discussion started by: jalite19
3 Replies

8. UNIX for Dummies Questions & Answers

Unable to use the Sudo command. "0509-130 Symbol resolution failed for sudo because:"

Hi! I'm very new to unix, so please keep that in mind with the level of language used if you choose to help :D Thanks! When attempting to use sudo on and AIX machine with oslevel 5.1.0.0, I get the following error: exec(): 0509-036 Cannot load program sudo because of the following errors:... (1 Reply)
Discussion started by: Chloe123
1 Replies

9. UNIX for Dummies Questions & Answers

sudo logging + NFS hang?

Hi all, I have two problems, My system is SunOS 5.9: 1- I have installed sudo but I have a problem logging user activities on other hosts, the way I installed it is that I installed sudo and the sudoers file in a shared directory on a NFS server which is mounted by all computers on the... (1 Reply)
Discussion started by: neked
1 Replies

10. UNIX for Advanced & Expert Users

Logging all commands after a sudo su-

Hi there, It might seem tricky, I confess. We use sudo to allow people to initiate priviledged commands (but not all commands) on our Unix systems. To by pass this, some people initiate the sudo su - command ; The main issue is to 'know' what those people do when they gain root access.... (4 Replies)
Discussion started by: linuxmtl
4 Replies
Login or Register to Ask a Question