root restrictions
John F Haugh II
jfh at rpp386.cactus.org
Sat Jun 15 14:29:49 AEST 1991
In article <1991Jun14.045407.23003 at kithrup.COM> sef at kithrup.COM (Sean Eric Fagan) writes:
>In article <8439 at awdprime.UUCP> shaggy at kleikamp.austin.ibm.com (David J. Kleikamp) writes:
>>What good is it to restrict root logins to the console if you do allow other
>>users to su to root from other TTY's?
>
>Anyone can log in, and you won't know whom it was. On the other hand, su
>keeps a log (or can; I believe it does under AIX). True, someone can edit
>the log file, but that's less likely.
As I recall (and I can ask Tom when I see him tomorrow), "su" does not
support the /usr/adm/sulog like other "su"'s do. It performs auditing,
which is implmented in such a way that it can be made untamperable.
To find out who is su'ing to root, turn on auditing for the appropriate
audit event for all of your users. su will then cut an audit record
everytime someone uses it. Each record contains enough information to
figure out who done it.
--
John F. Haugh II | Distribution to | UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 255-8251 | GEnie PROHIBITED :-) | Domain: jfh at rpp386.cactus.org
"UNIX signals are not interrupts. Worse, SIGCHLD/SIGCLD is not even a UNIX
signal, it's an abomination." -- Doug Gwyn
More information about the Comp.unix.aix
mailing list