Re: Seeing who has su-ed
From: Alvin Oga (alvin.sec@Mail.Linux-Consulting.com)
Date: Fri, 21 Mar 2003 12:49:08 -0800 (PST) From: Alvin Oga <alvin.sec@Mail.Linux-Consulting.com> To: "Klotz, Brian" <Brian_Klotz@heald.edu>
On Thu, 20 Mar 2003, Klotz, Brian wrote:
> I teach a Linux basics course and each term I have the problem of students
> who do an su to become root, then rather than exiting, they su again to go
> back to their regular account. The trouble is identifying when someone has
> done this (they usually don't remember). The "who" command only shows login
> shells (AFAIK) so it does not reveal when someone has su-ed.
> Does anyone know of a way to list all of the users currently logged in,
> including when someone has su-ed to become another user?
root:~# tail -100 /var/log/secure
Mar 21 12:45:18 xx su: Authentication failed for alvin
Mar 21 12:45:18 xx su: - pts/24 alvin-alvin
Mar 21 12:45:23 xx su: Authentication failed for alvin
Mar 21 12:45:23 xx su: - pts/24 alvin-alvin
Mar 21 12:45:26 xx su: + pts/24 alvin-alvin
works for me... tell me time/date that "alvin" su to become others
and if i su - root ... and i forget the passwd ...
Mar 21 12:46:53 Guru su: + pts/24 root-alvin
Mar 21 12:47:10 Guru su: Authentication failed for root
Mar 21 12:47:10 Guru su: - pts/24 alvin-root
good for slackware-8.1
and history to see what they did...
and run scripts to see all that they typed, even inside vi (?)