Monitoring Superuser Access

Introduction

When the operating system is installed, a superuser is created, with an UID of 0. The usage of the su command is recorded in /var/adm/sulog.

To record in the first place you need to do the following. In the file /etc/default/su, uncomment the entry:

1	`SULOG=/var/adm/sulog.`

Save it.

The entries look like this (/var/adm/sulog):

MO 02/18 14:21 + pts/0 nrocha-root
TU 02/19 14:45 - pts/0 root-nrocha
WE 02/20 19:47 + pts/0 amaria-nrocha

The first three columns show the time the event occurred.
The fourth column shows a - for failed access and a + for successful access.
The fifth column shows which port the access was made from.
The last column shows the name of the user who tried to switch users and the switched user.

Note: This procedure was tested on the Solaris 10 OS.