You can monitor su attempts by monitoring the /var/adm/sulog file. This file logs each time the su command is used. The su logging in this file is enabled by default through the following entry in the /etc/default/su file:
SULOG=/var/adm/sulog |
The sulog file lists all uses of the su command, not only the su attempts that are used to switch from user to superuser. The entries show the date and time the command was entered, whether or not the attempt was successful (+ or -), the port from which the command was issued, and finally, the name of the user and the switched identity.
Through the /etc/default/su file, you can set up the system to display on the console each time an attempt is made to use the su command to gain superuser access from a remote system. This method is a good way to immediately detect someone who is trying to gain superuser access on the system that you are currently working on. See the following section for detailed instructions.
Monitor the contents of the /var/adm/sulog file on a regular basis.
# more /var/adm/sulog SU 12/20 16:26 + pts/0 nathan-root SU 12/21 10:59 + pts/0 nathan-root SU 01/12 11:11 + pts/0 root-joebob SU 01/12 14:56 + pts/0 pmorph-root SU 01/12 14:57 + pts/0 pmorph-root |