Logging Activities when su command is issued

devUnix · 10-21-2010, 09:16 AM

Hi,

I want to log the following information whenever a user executes "su - root"

The User Name who is executing the "su" command and
Date & Time (timestamp) when he/she does it

I have tried this:

In the file /etc/profile

I have entered this line:

Code:

echo $USER >> /tmp/logins.log

But, as we know, the file /etc/profile is executed when a user logs-in. So, the user name, which gets recorded, is that of the root itself instead of the user who is executing the "su" command.

Any ideas to achieve the desired result?

I put in other words: I want to track down whenever a user issues "su - root" so that I can know who performed a particular activity on the server.

The problem is that, let's say, we are 10 people in the support. We have our own log-in credentials. But to perform certain tasks we need to "su - root". But that makes it difficult for us to determine who did what.

In fact, we are not using the root account. We have a log-in account which has been assigned sufficient permissions for the activities. We do this "su - specialUser" and perform those activities. But as the case is, it is not practical to determine who did what as we all know specialUser's password.

Is the problem clear now? Please ask me if you need more details. One more point, we are not using "sudoers" or "sudo". Why? That is the policy of the client / customer that a special user account be created and be used for those special activities which normal users can't perform.

anomie · 10-21-2010, 09:34 AM

What distro/version? This may be already getting logged.

devUnix · 10-21-2010, 01:08 PM

Quote:

Originally Posted by anomie

What distro/version? This may be already getting logged.

System-1:

Code:

bash-3.2$ uname -vrs
AIX 3 5

System-2:

Code:

[root@host-6-14 ~]$ uname -rs
Linux 2.6.18.1

anomie · 10-21-2010, 01:34 PM

How about -

Code:

$ cat /etc/issue

- on the Linux system?

(I don't know AIX.)

devUnix · 10-21-2010, 02:06 PM

Quote:

Originally Posted by anomie

How about -

Code:

$ cat /etc/issue

- on the Linux system?

(I don't know AIX.)

Code:

[root@host-6-14 ~]$ cat /etc/issue
Fedora Core release 2 (Tettnang)
Kernel \r on an \m

[root@host-6-14 ~]$


[root@host-6-14 ~]$ uname -r -m
2.6.18.1 i686
[root@host-6-14 ~]$

TB0ne · 10-21-2010, 02:22 PM

Quote:

Originally Posted by devUnix

Hi,
I want to log the following information whenever a user executes "su - root"

The User Name who is executing the "su" command and
Date & Time (timestamp) when he/she does it

I have tried this:
In the file /etc/profile I have entered this line:

Code:

echo $USER >> /tmp/logins.log

But, as we know, the file /etc/profile is executed when a user logs-in. So, the user name, which gets recorded, is that of the root itself instead of the user who is executing the "su" command.

Any ideas to achieve the desired result?

I put in other words: I want to track down whenever a user issues "su - root" so that I can know who performed a particular activity on the server.

The problem is that, let's say, we are 10 people in the support. We have our own log-in credentials. But to perform certain tasks we need to "su - root". But that makes it difficult for us to determine who did what.

In fact, we are not using the root account. We have a log-in account which has been assigned sufficient permissions for the activities. We do this "su - specialUser" and perform those activities. But as the case is, it is not practical to determine who did what as we all know specialUser's password.

Is the problem clear now? Please ask me if you need more details. One more point, we are not using "sudoers" or "sudo". Why? That is the policy of the client / customer that a special user account be created and be used for those special activities which normal users can't perform.

The only thing that springs to my mind, is to move the actual "su" binary somewhere out of the normal path, and substitute your own "su" script file for it. That way, when the person executes an "su - specialuser", their logname/uid will be their OWN, and you can write it off to a log file. From there, you have their logname as a variable, and can pass it to the real 'su' command, where it will function normally.

May not work, but that's just a quick thought.

anomie · 10-21-2010, 05:35 PM

Relatively current RH-family distros log su(1) activity to /var/log/secure. (Presumably it's using syslogd(8)'s authpriv facility.)

But Fedora Core 2?? No idea. If you can't figure it out, you may be stuck wrapping it as mentioned.

urapain · 10-27-2010, 10:13 AM

If you are rolling your own audit system, you should consider OSSEC (free). It is pretty easy to setup, and the default config covers a lot of territory. It monitors logon and su activity, as well as system modifications. Unless you have a really rock hard reason for sticking with FC2 I highly recommend Ubuntu.