test

System Administration Guide: Security Services

Monitoring and Restricting Superuser

An alternative to using the superuser account is to set up role-based access control. Role-based access control is called RBAC. For overview information on RBAC, see Chapter 5, Role-Based Access Control (Overview). For how to set up RBAC, see Chapter 6, Role-Based Access Control (Tasks).

How to Monitor Who Is Using the su Command

The sulog file lists every use of the su command, not only the su attempts that are used to switch from user to superuser.

  1. Become superuser or assume an equivalent role.

  2. Monitor the contents of the /var/adm/sulog file on a regular basis.


    # more /var/adm/sulog
SU 12/20 16:26 + pts/0 nathan-root
SU 12/21 10:59 + pts/0 nathan-root
SU 01/12 11:11 + pts/0 root-janedoe
SU 01/12 14:56 + pts/0 pmorph-root
SU 01/12 14:57 + pts/0 pmorph-root

    The entries display the following information:

    • The date and time that the command was entered

    • If the attempt was successful

      A + indicates a successful attempt. A - indicates an unsuccessful attempt.

    • The port from which the command was issued

    • The name of the user and the name of the switched identity

    The su logging in this file is enabled by default through the following entry in the /etc/default/su file:


    SULOG=/var/adm/sulog

How to Display Superuser (root) Access Attempts to the Console

  1. Become superuser or assume an equivalent role.

  2. Edit the /etc/default/su file.

  3. Uncomment the following line:


    CONSOLE=/dev/console

  4. Use the su command to become root.

    Verify that a message is printed on the system console.

    This method immediately detects someone who is trying to gain superuser access to the system that you are on.

How to Prevent Remote Login by Superuser (root)

Note –

Superuser login is restricted to the console by default when you install the Solaris release.

  1. Become superuser or assume an equivalent role.

  2. Edit the /etc/default/login file.

  3. Uncomment the following line:


    CONSOLE=/dev/console

    When superuser access is restricted to the console, you can log in to a system as superuser only from the console. Any users who try to remotely log in to this system must first log in with their user login. After logging in with their user name, users then use the su command to become superuser.

  4. Attempt to log in remotely as superuser to this system, and verify that the operation fails.