Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!cs.utexas.edu!chinacat!sequoia!rpp386!jfh
From: jfh@rpp386.cactus.org (John F Haugh II)
Newsgroups: comp.unix.aix
Subject: Re: root restrictions
Message-ID: <19387@rpp386.cactus.org>
Date: 15 Jun 91 04:29:49 GMT
References: <1991Jun12.180648.27815@bnlux1.bnl.gov> <8439@awdprime.UUCP> <1991Jun14.045407.23003@kithrup.COM>
Reply-To: jfh@rpp386.cactus.org (John F Haugh II)
Organization: Lone Star Cat Grill and Sushi Bar, The Republic of Texas
Lines: 22
X-Clever-Slogan: Please send money.  I need another NRA Life Membership.

In article <1991Jun14.045407.23003@kithrup.COM> sef@kithrup.COM (Sean Eric Fagan) writes:
>In article <8439@awdprime.UUCP> shaggy@kleikamp.austin.ibm.com (David J. Kleikamp) writes:
>>What good is it to restrict root logins to the console if you do allow other
>>users to su to root from other TTY's?
>
>Anyone can log in, and you won't know whom it was.  On the other hand, su
>keeps a log (or can; I believe it does under AIX).  True, someone can edit
>the log file, but that's less likely.

As I recall (and I can ask Tom when I see him tomorrow), "su" does not
support the /usr/adm/sulog like other "su"'s do.  It performs auditing,
which is implmented in such a way that it can be made untamperable.

To find out who is su'ing to root, turn on auditing for the appropriate
audit event for all of your users.  su will then cut an audit record
everytime someone uses it.  Each record contains enough information to
figure out who done it.
-- 
John F. Haugh II        | Distribution to  | UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 255-8251 | GEnie PROHIBITED :-) |  Domain: jfh@rpp386.cactus.org
"UNIX signals are not interrupts.  Worse, SIGCHLD/SIGCLD is not even a UNIX
 signal, it's an abomination."  -- Doug Gwyn