RE: Seeing who has su-ed

From: Thomas Cameron (ThomasC@mip.com)
Date: 03/21/03

  • Next message: Giuliano Pochini: "RE: Seeing who has su-ed" 
    From: Thomas Cameron <ThomasC@mip.com>
To: "Security Focus-Linux (focus-linux@securityfocus.com)" <focus-linux@securityfocus.com>
Date: Fri, 21 Mar 2003 13:18:45 -0600

    I use a combination of w and ps:

    [root@linux root]# ps ax
      PID TTY STAT TIME COMMAND
        1 ? S 0:04 init [3]
    ...
    ...
    ...
    thomasc 5551 0.3 0.7 6720 2032 ? S 13:20 0:00
    /usr/sbin/sshd
    thomasc 5552 1.1 0.5 4136 1416 pts/1 S 13:20 0:00 -bash
    root 5592 0.4 0.3 3832 1004 pts/1 S 13:20 0:00 su -
    root 5593 3.5 0.5 4216 1496 pts/1 S 13:20 0:00 -bash

    [root@linux root]# w
     10:34am up 13 days, 16:12, 2 users, load average: 0.14, 0.03, 0.01
    USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
    root tty1 - Tue11am 2days 1.35s 0.02s /bin/sh
    /usr/X1
    thomasc pts/0 172.16.10.53 10:34am 0.00s 0.20s 0.02s w

    Or if you want to go really crazy, use:

    [root@linux root]# ps aux --forest
    root 595 0.0 0.3 3276 992 ? S Mar07 0:04
    /usr/sbin/sshd
    root 4799 0.0 0.7 6696 1832 ? S 10:34 0:00
    \_/usr/sbin/sshd
    thomasc 4801 0.0 0.7 6720 2036 ? S 10:34 0:00
    \_/usr/sbin/sshd
    thomasc 4802 0.0 0.5 4136 1416 pts/0 S 10:34 0:00 \_-bash
    root 4842 0.0 0.3 3832 1008 pts/0 S 10:34 0:00 \_ su
    -
    root 4843 0.0 0.5 4216 1496 pts/0 S 10:34 0:00 \_
    -bash
    root 4903 0.0 0.2 2584 668 pts/0 R 10:36 0:00
    \_ ps aux --forest

    Regards,
    Thomas Cameron, RHCE, CNE, MCSE, MCT
    Best Software - Non Profit and Government Division
    (512) 454-1844 x 307

    For the protection of our internal systems and those of our customers, Best
    Software, Inc., blocks most email attachments. Please use plain text when
    corresponding via email with Best Software.

  • Next message: Giuliano Pochini: "RE: Seeing who has su-ed"