Thanks for the many helpful responses! Original question was how
to log su's?
The most helpful appears to be to turn on logging of su like this:
uncomment the line:
auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost)
in the file /etc/syslog.conf Make sure loghost is defined in /etc/hosts
If you don't want to do this, define the file name directly in
the line above.
These messages are also logged to /var/adm/messages (along with
a lot of other stuff) by default.
Other comments:
1) Be very careful of suid shell scripts -- use C or Perl.
I was personally planning to use Perl, though I don't see
the necessity now that I know how to do the logging to "authlog"
2) Consider using the C2 security package.
This seemed moderately complicated to set up given what we
need. I was also concerned about extra overhead.
3) Look into the package log_tcp with an rfc931 daemon like pauthd.
This records tcp connections.
Honor Roll:
Brian Bartholomew
Doug Neuhauser
bill@aloft.att.com
Richard Feuerriege
David Fetrow
poul@nilu.no
Peter Samuel
Ace Stewart
Daneel Pang
Graham Campbell
Soren Larsen
danny@ews7.dseg.ti
Mike Raffety
Dunstan_Vavasour
Ole Holm Nielsen
James A. Carhart
Robert M. Kuhn
Tim Evans
Ian Angles
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:49 CDT