Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!cmcl2!brl-adm!adm!mccalpin@masig1
From: mccalpin@masig1 (John D. McCalpin)
Newsgroups: comp.unix.questions
Subject: sulog check
Message-ID: <8950@brl-adm.ARPA>
Date: Sat, 22-Aug-87 12:36:19 EDT
Article-I.D.: brl-adm.8950
Posted: Sat Aug 22 12:36:19 1987
Date-Received: Sun, 23-Aug-87 12:17:39 EDT
Sender: news@brl-adm.ARPA
Lines: 31

In response to the following request:

!    Let's say I want to output any line from the sulog that indicates that a
! user other than root, news or me attempted to su.  The format of the sulog
! records is: 
! 
!     SU 08/05 09:30 + tty02 msi-root
!  (awk script was included here)

There was a recent reply:

>  Unless there is more to your awk script than simply writing out the 
>offending lines, what's wrong with:
>  `egrep -v "root|news|mel" /usr/adm/sulog` 

This contains a very serious bug !!!
For example, the line:
     SU 08/05 09:30 + tty02 pirate-root
would NOT BE FLAGGED because it contains the string 'root' !
A correct egrep command is:
	egrep -v 'root-|new-|me-' /usr/adm/sulog

I have this in a shell script that is executed by my login file.
It is run with the setuid attribute because /usr/adm/sulog is not publicly
readable. I am working on a version that would take its userlist from a 
file, or perhaps from a group list in /etc/group, but this works fine as is.

John D. McCalpin
mccalpin@fsu.BITNET
mccalpin%fsu.MFENET@nmfecc.ARPA
mccalpin@masig1.fsu.edu (REAL SOON NOW)