Monitoring Who Is Using the su Command

You can monitor su attempts by monitoring the /var/adm/sulog file. This file logs each time the su command is used. The su logging in this file is enabled by default through the following entry in the /etc/default/su file:

SULOG=/var/adm/sulog

The sulog file lists all uses of the su command, not only the su attempts that are used to switch from user to superuser. The entries show the date and time the command was entered, whether or not the attempt was successful (+ or -), the port from which the command was issued, and finally, the name of the user and the switched identity.

Through the /etc/default/su file, you can set up the system to display on the console each time an attempt is made to use the su command to gain superuser access from a remote system. This method is a good way to immediately detect someone who is trying to gain superuser access on the system that you are currently working on. See the following section for detailed instructions.

How to Monitor Who Is Using the su Command

1. Become superuser or assume an equivalent role.

2. Monitor the contents of the /var/adm/sulog file on a regular basis.

   # more /var/adm/sulog SU 12/20 16:26 + pts/0 nathan-root SU 12/21 10:59 + pts/0 nathan-root SU 01/12 11:11 + pts/0 root-joebob SU 01/12 14:56 + pts/0 pmorph-root SU 01/12 14:57 + pts/0 pmorph-root

How to Display Superuser (root) Access Attempts to the Console

1. Become superuser or assume an equivalent role.

2. Edit the /etc/default/su file.

3. Uncomment the following line:

   CONSOLE=/dev/console

   Use the su command to become root, and verify that a message is printed on the system console.