1 Reply Latest reply: Mar 20, 2013 10:55 AM by JulianG RSS

    succeeded for root on /dev/???

    JulianG
      Hi - I'm running a Solaris 10 T4-1 server with non-global zones and just noticed the following in the logs:

      Mar 11 21:12:29 zonewww su: [ID 366847 auth.info] 'su nagios' succeeded for root on /dev/???
      Mar 11 21:12:33 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/???
      Mar 11 21:18:00 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/???
      Mar 14 05:00:34 zonewww su: [ID 366847 auth.notice] 'su root' succeeded for root on /dev/???
      Mar 14 05:08:08 zonewww su: [ID 366847 auth.notice] 'su root' succeeded for root on /dev/???
      Mar 14 10:22:40 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/???
      Mar 20 10:57:17 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/???

      I can see it's been going on for months, can be really random. I've seen a few threads about could be cron jobs running - but checked and it isn't or not that I can see. And also the times / dates are completely random. It's also for other users on this particular server. Has anyone seen this before and know what is causing it?

      Thanks - J.
        • 1. Re: succeeded for root on /dev/???
          JulianG
          Ah right I've found part of the answer out - some of these entries tie in exactly with when the non-global zone was rebooted, eg.

          grep "succeeded for root on /dev/???" /var/adm/authlog |grep "Mar 11"
          Mar 11 20:03:28 zonewww su: [ID 366847 auth.info] 'su jhc' succeeded for root on /dev/???
          Mar 11 20:03:30 zonewww su: [ID 366847 auth.info] 'su jhc2' succeeded for root on /dev/???
          Mar 11 20:03:32 zonewww su: [ID 366847 auth.info] 'su jhcixx' succeeded for root on /dev/???
          Mar 11 20:03:35 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/???
          Mar 11 20:07:05 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/??? **** here ****
          Mar 11 21:12:28 zonewww su: [ID 366847 auth.info] 'su jhc' succeeded for root on /dev/??? **** here ****
          Mar 11 21:12:28 zonewww su: [ID 366847 auth.info] 'su jhc2' succeeded for root on /dev/??? **** here ****
          Mar 11 21:12:29 zonewww su: [ID 366847 auth.info] 'su jhcixx' succeeded for root on /dev/??? **** here ****
          Mar 11 21:12:29 zonewww su: [ID 366847 auth.info] 'su nagios' succeeded for root on /dev/??? **** here ****
          Mar 11 21:12:33 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/??? **** here ****
          Mar 11 21:18:00 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/???


          last reboot |grep "Mar 11"
          reboot system boot Mon Mar 11 21:12
          reboot system down Mon Mar 11 20:07


          There are still some other entries that I can't explain though.

          Julian.