Re: Seeing who has su-ed

From: Alvin Oga (alvin.sec@Mail.Linux-Consulting.com)
Date: 03/21/03

  • Next message: Andy Walden: "Re: Seeing who has su-ed"
    Date: Fri, 21 Mar 2003 12:49:08 -0800 (PST)
    From: Alvin Oga <alvin.sec@Mail.Linux-Consulting.com>
    To: "Klotz, Brian" <Brian_Klotz@heald.edu>
    
    

    hi ya

    On Thu, 20 Mar 2003, Klotz, Brian wrote:

    >
    > I teach a Linux basics course and each term I have the problem of students
    > who do an su to become root, then rather than exiting, they su again to go
    > back to their regular account. The trouble is identifying when someone has
    > done this (they usually don't remember). The "who" command only shows login
    > shells (AFAIK) so it does not reveal when someone has su-ed.
    >
    > Does anyone know of a way to list all of the users currently logged in,
    > including when someone has su-ed to become another user?

    root:~# tail -100 /var/log/secure
    ....
    Mar 21 12:45:18 xx su[28280]: Authentication failed for alvin
    Mar 21 12:45:18 xx su[28280]: - pts/24 alvin-alvin
    Mar 21 12:45:23 xx su[28281]: Authentication failed for alvin
    Mar 21 12:45:23 xx su[28281]: - pts/24 alvin-alvin
    Mar 21 12:45:26 xx su[28282]: + pts/24 alvin-alvin

    works for me... tell me time/date that "alvin" su to become others
    and if i su - root ... and i forget the passwd ...

    Mar 21 12:46:53 Guru su[28294]: + pts/24 root-alvin
    Mar 21 12:47:10 Guru su[28352]: Authentication failed for root
    Mar 21 12:47:10 Guru su[28352]: - pts/24 alvin-root

    good for slackware-8.1

    and history to see what they did...

    and run scripts to see all that they typed, even inside vi (?)

    c ya
    alvin


  • Next message: Andy Walden: "Re: Seeing who has su-ed"