This discussion is archived
1 Reply Latest reply: Mar 20, 2013 8:55 AM by JulianG RSS

succeeded for root on /dev/???

JulianG Newbie
Currently Being Moderated
Hi - I'm running a Solaris 10 T4-1 server with non-global zones and just noticed the following in the logs:

Mar 11 21:12:29 zonewww su: [ID 366847 auth.info] 'su nagios' succeeded for root on /dev/???
Mar 11 21:12:33 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/???
Mar 11 21:18:00 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/???
Mar 14 05:00:34 zonewww su: [ID 366847 auth.notice] 'su root' succeeded for root on /dev/???
Mar 14 05:08:08 zonewww su: [ID 366847 auth.notice] 'su root' succeeded for root on /dev/???
Mar 14 10:22:40 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/???
Mar 20 10:57:17 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/???

I can see it's been going on for months, can be really random. I've seen a few threads about could be cron jobs running - but checked and it isn't or not that I can see. And also the times / dates are completely random. It's also for other users on this particular server. Has anyone seen this before and know what is causing it?

Thanks - J.
  • 1. Re: succeeded for root on /dev/???
    JulianG Newbie
    Currently Being Moderated
    Ah right I've found part of the answer out - some of these entries tie in exactly with when the non-global zone was rebooted, eg.

    grep "succeeded for root on /dev/???" /var/adm/authlog |grep "Mar 11"
    Mar 11 20:03:28 zonewww su: [ID 366847 auth.info] 'su jhc' succeeded for root on /dev/???
    Mar 11 20:03:30 zonewww su: [ID 366847 auth.info] 'su jhc2' succeeded for root on /dev/???
    Mar 11 20:03:32 zonewww su: [ID 366847 auth.info] 'su jhcixx' succeeded for root on /dev/???
    Mar 11 20:03:35 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/???
    Mar 11 20:07:05 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/??? **** here ****
    Mar 11 21:12:28 zonewww su: [ID 366847 auth.info] 'su jhc' succeeded for root on /dev/??? **** here ****
    Mar 11 21:12:28 zonewww su: [ID 366847 auth.info] 'su jhc2' succeeded for root on /dev/??? **** here ****
    Mar 11 21:12:29 zonewww su: [ID 366847 auth.info] 'su jhcixx' succeeded for root on /dev/??? **** here ****
    Mar 11 21:12:29 zonewww su: [ID 366847 auth.info] 'su nagios' succeeded for root on /dev/??? **** here ****
    Mar 11 21:12:33 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/??? **** here ****
    Mar 11 21:18:00 zonewww su: [ID 366847 auth.info] 'su was' succeeded for root on /dev/???


    last reboot |grep "Mar 11"
    reboot system boot Mon Mar 11 21:12
    reboot system down Mon Mar 11 20:07


    There are still some other entries that I can't explain though.

    Julian.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points