login sudo su - attempts

/var/adm/sulog is telling me who is becoming root but after that I am unable to tell what commands they are executing. I want to log all the commands they execute after becoming root..

If this is Solaris 10, the default root shell is bash, so all the commands will be logged in .bash_history

Yeah thats correct but I need to do the same in solaris 9. Is there any way by which I can do that?

The point of sudo is to provide a way for non-root users to execute particular commands in a controlled manner. Just disallow any shells from the sudo list and then the users will need to log each individual command.  

If that is too much of a problem, you could turn on process accounting and auditing. This will allow you to reconstruct the commands run, although it won't show you the arguments to the commands.

Hi Blu, Thaks much..I think you are driving me towards the solution. Can you tell me more about turning on  process accounting and auditing. Will I be able to get all the commands executed by each individual user if I do that ?  Thanks.

Yes. Process accounting tracks all of the processes run on the system, so you can list all of the commands run. Auditing lists important "events" and who did them.

Consider looking at what you need sudo for in the first place. It is not wise to allow a user to get a shell as the root user, that is not what it is for. You should look at the RBAC facilities in Solaris as well.  The point is, never allow root access to your system by people you do not trust. You apparently have violated this key principle.

please see:

http://docs.sun.com/app/docs/doc/817-0403/sysresacctsetup-78801?a=view
http://docs.sun.com/app/docs/doc/817-0403/sysresacctref-14910?a=view

HI Blu,

I understand what you are saying. But the root access is already given. The users are internal company employees. They need to install and configure web servers and thereby require root access..

 /etc/passwd file is getting corrupted once in a wile. I have to reboot the system from the cd to restore the file. I am trying to find who is doing this.

 Can you help me with the commands for process accounting and auditing. Thanks much ..

How is it corrupted? What makes you think that it is done maliciously? Are your admins editing it directly? If it is edited directly, it should only ever be edited using the vipw command, that it what it is for.

Hi Blu:

We are not editing the /passwd file at all. Its getting corrupted by itself. We are unable to find the reason. We have 2 nodes. Its happening on both the nodes.

Okay. So, what OS rev are you using? Even with auditing and such, it will be hard to catch changes to the /etc/passwd file. If you are using Solaris 10, then you can use dtrace, which is a much finer grained tool.

But what makes you think that the corruption is malicious? It sound more likely that there is a script or program somewhere that updates the /etc/passwd file without locking it first.

Hi
we are using solaris 5.9.. I agree with you. There should be a scipt somewhere. But the script is not in the crontab file of the root user. How can I detect the script? Is there any way to prevent it?

I think that knowing what the corruption looks like should give a clue. How is the file corrupted?

I know this is off topic, but you should really consider upgrading to Solaris 10. It is way more advanced than Solaris 9

yeah thats a good idea..But you know it takes time...here is the corrupted file:
*****************************
HÈñ¾D1p5        lOD1p5  l.ϽHÈñÞD1p5    »D1p5
                                                #HÈñ ¬D£H¹¼MQQ.ϾHÈñþD1p5      1p5   .ϾHÈñ_        1D1p5   ²¿D1p5  ³.Ï¿HÈñ_        UD1p5   ÊlD1p5  Ê°.Ï¿HÈñ_       uD1p5   áÖD1p5  âHÈñ]
£F¯ªH¹¼CãgèHÈñ <¯jÆH¹¼L^Lj.ÏÀHÈñ_       ¦D1p5   ùXD1p5  ù.ÏÀHÈñ_^LD1p5
ÅD1p5
àHÈñMõD1`¡%D1`¡%.HÈñ]HÇÑ"
 ¬ÀHÇÑ".ÏÁHÈñ_^L»D1p5
(GD1p5
(
.ÏÁHÈñ_^LßD1p5
?òD1p5
D1p5ÈñD=­^L¤D=­^L°.ÏÂHÈñ_
W]D1p5
$D1p5Èñ_
nàD1p5
Ú¸D1`âsCD1`âsëHÈñ_
ED1p5Èñ_L
bD1p5
 HÈñ]
fD1p5¹¼KÏ.ÏÃHÈñ_
D1p5ñ_CD2Þã>D2ÞãI.ÏÄHÈñ_
µäD1p5
¶$.ÏÄ
¨D1p5ñ_
ÍcD1p5
ÈD1p5HÈñ_
äåD1p5
å'
HÈñ SFTØâH¹¼L^L
±3<¯zUH¹¼B
߬ÂPHÈñ_
D1a
½D1a
È.ÏÈHÈñ_³D1p5
             ]D1p5
                  .ÏÉHÈñ_ÕD1p5
                              ¡D1p5
                                   ¡I.ÏÉHÈñ_÷D1p5
                                                 ¸D1p5
                                                      ¸È.ÏÊHÈñ_D1p5
                                                                   ÏõD1p5
                                                                         Ð6.ÏÊHÈñ_;D1p5
                                                                                       çvD1p5
                                                                                             ç¹.ÏËHÈñ_\D1p5
                                                                                                           þøD1p5
                                                                                                                 ÿ;.ÏHÈñ_þD1p5÷%D1p5÷T.ÏËHÈñ_}D1p5^LD1p5^LÏ.ÏÌHÈñ_D1p5^L.
D1p5^L.R.ÏlHÈñ_D4A>-D4A>-.ÑHÈñ]        @¤D=£sD=£.ÏÌHÈñ_À
UNHЪ
.ÏÎHÈñ_&D1p5^LD1p5^LØ÷HÈñ[¨
                           >ÞH¹¼MT0MøÔHÈñ"A´P»H¹¾[^L¼è.ÏÎHÈñ_HD1p5^L¤D1p5^L¤ÍMøÔHÈñ]
ÚA´PÂH¹¾[^LÀÐ.ÏÏHÈñ_jD1p5^L¼§D1p5^L¼îT4         UHÈñ_
ÆÀcÑ
FøB@^LÚ¨Ðp`8C|

        TTHTTHTHëþÿÿ¯ªÿÿÿªúÿ«ªª»wïîîþÿÿÿÿÿ¥
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿU­ºªªªªªªªªªêïÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
 ¬ÅÿÿÿÿÿÿÿÿÿÿÿÿÿÿWUU««ZUUÝÞ­nuU­ZÕwýÿÿÿÿÿÿÿÿÿÿÿöÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÞ^Uýÿÿ÷VUUUUUUUUUUUUUUUUµUUUUUUUUUUUUUUUUUUÕVUUU[UÕUUUUUUUUUµªªªªªªªªªVUUUUUUUUÕ®VUõÿ×nUýÿÿV÷ÿÿ¿ªþÿÿ¿ªþÿÿߪªªªUUUÕÿÿýÿÿÿÿ

Ouch. Looks like some kind of database or image file. There is a lot of repetition going on there. I would try running the strings command on it to see if there is anything in ASCII in there to find, and to dump some of it out with the od command, maybe "od -xc"

hi
some output of od -xc is :
0005540    abaa    aabb    77ef    eeee    feff    ffff    ffff    a50a
         253 252 252 273   w 357 356 356 376 377 377 377 377 377 245  \n
0005560    0000    0000    00ff    ffff    ffff    ffff    ffff    ffff
          \0  \0  \0  \0  \0 377 377 377 377 377 377 377 377 377 377 377
0005600    ffff    ffff    ffff    ffff    ffff    ffff    ffff    ffff
         377 377 377 377 377 377 377 377 377 377 377 377 377 377 377 377
*
0005720    ffff    ffff    ffff    ffff    ffff    7f55    adba    aaaa
         377 377 377 377 377 377 377 377 377 377 177   U 255 272 252 252
0005740    aaaa    aaaa    aaaa    aaea    efff    ffff    ffff    ffff
         252 252 252 252 252 252 252 352 357 377 377 377 377 377 377 377
0005760    ffff    ffff    ffff    ffff    000a    0da0    0002    acc5
         377 377 377 377 377 377 377 377  \0  \n  \r 240  \0 002 254 305
0006000    ffff    ffff    ffff    ffff    ffff    ffff    ffff    5755
         377 377 377 377 377 377 377 377 377 377 377 377 377 377   W   U
0006020    55ab    ab5a    5555    ddde    ad6e    7555    ad5a    d577
           U 253 253   Z   U   U 335 336 255   n   u   U 255   Z 325   w
0006040    fdff    ffff    ffff    ffff    ffff    ffff    f6ff    ffff
         375 377 377 377 377 377 377 377 377 377 377 377 366 377 377 377
0006060    ffff    ffff    ffff    ffff    ffff    ffff    ffff    ffff
         377 377 377 377 377 377 377 377 377 377 377 377 377 377 377 377
*
0006120    ffff    ff7f    ffde    5e55    fdff    fff7    5655    5555
         377 377 377 177 377 336   ^   U 375 377 377 367   V   U   U   U
0006140    5555    5555    5555    5555    5555    5555    55b5    5555
           U   U   U   U   U   U   U   U   U   U   U   U   U 265   U   U
0006160    5555    5555    5555    5555    5555    5555    5555    5555
           U   U   U   U   U   U   U   U   U   U   U   U   U   U   U   U
0006200    d556    5555    555b    55d5    5555    5555    5555    5555
         325   V   U   U   U   [   U 325   U   U   U   U   U   U   U   U
0006220    55b5    aaaa    aaaa    aaaa    aaaa    aa56    5555    5555
           U 265 252 252 252 252 252 252 252 252 252   V   U   U   U   U
0006240    5555    5555    d5ae    5655    f5ff    fa7f    d76e    55fd
           U   U   U   U 325 256   V   U 365 377 372 177 327   n   U 375
0006260    ffff    56f7    ffff    bfaa    feff    ffbf    aafe    ffff
         377 377   V 367 377 377 277 252 376 377 377 277 252 376 377 377
0006300    dfaa    aaaa    aa55    5555    d5ff    fffd    ffff    ffff
         337 252 252 252 252   U   U   U 325 377 377 375 377 377 377 377
0006320    0300    0000    0000    0000    0000    0000
         003  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
some output of strings is :

F:=k
F:=k
D1p5
D1p5
/D1p5
D1p5
PD1p5
D1p5
rD1p5
ZmD1p5
D1p5
D1p5
D1p5
]D1p5
D1p5
D1p5
D1p5
D1p5
D1p5
D1p5
;D1p5
vD1p5
\D1p5
D1p5
D1p5
%D1p5
}D1p5
D1p5
D1p5
D1p5
>-D4
D1p5
D1p5
D1p5
D1p5
D1p5
D1p5
_NF:=

Well, nothing jumps out at me, although I think that it looks more like image data than anything else to me. What are the first few bytes of the passwd file?

Hi please see the information below
[root@v02226:/tmp] #> strings passwd.bad.091108
D1p5
lOD1p5
D1p5
D1p5
D1p5
=D1p5
1D1p5
D1p5
UD1p5
lD1p5
uD1p5
D1p5
D1p5
XD1p5
D1p5
D1p5
D1p5
(GD1p5
D1p5
D1p5
D1p5
W]D1p5
$D1p5

[root@v02226:/tmp] #> od -xc passwd.bad.091108 | more
0000000    0000    0018    0000    0007    48c8    f15f    000e    08be
          \0  \0  \0 030  \0  \0  \0 007   H 310 361   _  \0 016  \b 276
0000020    4431    7035    0009    6c4f    4431    7035    0009    6c91
           D   1   p   5  \0  \t   l   O   D   1   p   5  \0  \t   l 221
0000040    0000    0000    2ecf    bd90    0000    0018    0000    0007
          \0  \0  \0  \0   . 317 275 220  \0  \0  \0 030  \0  \0  \0 007
0000060    48c8    f15f    000e    08de    4431    7035    0009    83bb
           H 310 361   _  \0 016  \b 336   D   1   p   5  \0  \t 203 273
0000100    4431    7035    0009    8400    0000    0000    0323    8710
           D   1   p   5  \0  \t 204  \0  \0  \0  \0  \0 003   # 207 020
0000120    0000    0018    0000    0007    48c8    f15d    0008    20ac
          \0  \0  \0 030  \0  \0  \0 007   H 310 361   ]  \0  \b     254
0000140    44a3    1f8a    0000    0000    48b9    bc4d    0006    5151
           D 243 037 212  \0  \0  \0  \0   H 271 274   M  \0 006   Q   Q
0000160    0000    0000    2ecf    be10    0000    0018    0000    0007
          \0  \0  \0  \0   . 317 276 020  \0  \0  \0 030  \0  \0  \0 007
0000200    48c8    f15f    000e    08fe    4431    7035    0009    9b3d
           H 310 361   _  \0 016  \b 376   D   1   p   5  \0  \t 233   =
0000220    4431    7035    0009    9b7e    0000    0000    2ecf    be90
           D   1   p   5  \0  \t 233   ~  \0  \0  \0  \0   . 317 276 220
0000240    0000    0018    0000    0007    48c8    f15f    000e    0931
          \0  \0  \0 030  \0  \0  \0 007   H 310 361   _  \0 016  \t   1
0000260    4431    7035    0009    b2bf    4431    7035    0009    b303
           D   1   p   5  \0  \t 262 277   D   1   p   5  \0  \t 263 003
0000300    0000    0000    2ecf    bf10    0000    0018    0000    0007
          \0  \0  \0  \0   . 317 277 020  \0  \0  \0 030  \0  \0  \0 007
0000320    48c8    f15f    000e    0955    4431    7035    0009    ca6c
           H 310 361   _  \0 016  \t   U   D   1   p   5  \0  \t 312   l
0000340    4431    7035    0009    cab0    0000    0000    2ecf    bf90

thanks a lot

as for sudo, you may want to remove the ability to sudo su -.   edit the sudoers flle and remove capability for users to run the su - command.   If they need to the ability to run su to get to another account, explicity allow those accounts.