How to Monitor Who Is Using the su
Command
The sulog
file lists every use of the switch user (su
) command, not only the su
attempts that are used to switch from user to root
.
The su
logging in this file is enabled by default through the following entry in the /etc/default/su
file:
SULOG=/var/adm/sulog
Note:
If you are using the account-policy
SMF stencil and the config/etc_default_passwd
property is enabled, you must change the corresponding SMF property on every system that will use this new algorithm. For examples, see the procedures in Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the account-policy
(8S) man page.
You must assume the root
role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
Troubleshooting: Entries that include ???
indicate that the controlling
terminal for the su
command cannot be identified. Typically, system
invocations of the su
command before the desktop appears include
???
, as in SU 10/10 08:08 + ???
root-root
. After the user starts a desktop session, the
ttynam
command returns the value of the controlling terminal to the
sulog
: SU 10/10 10:10 + pts/3
jdoe-root
.
Entries similar to the following can indicate that the su
command
was not invoked on the command line: SU 10/10 10:20 + ???
root-oracle
. A Trusted Extensions user might have switched to the
oracle
role by using a GUI.