Extract SU attempts to separate log
 

I have a SOX requirement from my security team to maintain a log of su attempts for an indefinite period of time. I am wondering if it is possible to create a specific log (if one doesn't already exist) to capture and keep any su to root attempts both successful and failed.

Thanks.

a specific log (if one doesn't already exist)
Tried "grep su.pam_unix /var/log/messages"?


maintain a log of su attempts for an indefinite period of time.
Change /var/log/messages retention settings in /etc/logrotate.d/* or grep and export to another log.


I have a SOX requirement from my security team
Note this only logs the "su" auth part and not what commands the user does execute. If you need a more detailed audit trail you will want a logging shell wrapper like 'rootsh' or 'sudosh' (combined with remote logging to a syslog server).

Edit /etc/syslog.conf to redirect everything to a separate log file (e.g. auth.log). Check on the man pages.

A quick shell script can grep each day's su attempts to a separate log.

TODAY-DATE=`date +"%b %d"`
SERVER-NAME="foobar"
ATTEMPTED-SU-LOG=/var/log/su.attempts
grep "$TODAY-DATE" /var/log/messages | grep "$SERVER-NAME su" >>"$ATTEMPTED-SU-LOG"

Did you test that code before you posted it?
I believe you'll find that '-' is not a legal character in shell variables, although '_' is.

Furthermore, on my MEPIS 6.0 system: while: This discrepancy in date format means that your date grep will not work for me as written. I am curious what your (unnamed) distro & OP's RHEL show.