Here's a real question: do you need to know, realtime, when someone's su'ing to root? Would a daily or hourly report work?
And then there's another point: how many people can su to root? They SHOULD NOT BE DOING THAT if they're not the sysadmins. iff (if and only if) some users *really* need to have superuser privileges, they should be sudoing, and in that case, every single command they issue (sudo rm -r /, for example <g>) will be logged to /var/log/secure, and what account the did it from. That might be a *lot* more useful.
In addition, you can limit what commands they can use *with* sudo.
mark
---- Original message ----
>Date: Fri, 13 Mar 2009 16:45:40 -0400
>From: Hike <mh1272@xxxxxxxxx>
>Subject: Re: email when user su's to root
>To: General Red Hat Linux discussion list <redhat-list@xxxxxxxxxx>
>
>Your authlog shoud have this (or sulog).
>You can use wrapper for su that takes action, also.
>
>On Mar 13, 2009, at 9:43 AM, "Anne Moore" <diabeticithink@xxxxxxxxx>
>wrote:
>
>> HI All,
>>
>> Does anyone know how I'd make an automatic email fly off every time
>> a user
>> SU's to root? We're have security issues, and we're needed to track
>> it.
>>
>> Thank you for your assistance with this.
>>
>> Anne
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
