Auditing of su use is important and should be built in. Depending somewhat on your distro, /etc/login.defs should have a section on su logging. A typical default would direct logging to syslog, but there should also be an option of specifying a separate logfile for su activities only. If syslog is used, check /etc/syslog.conf or equivalent for the destination of auth logs, under Debian the default is /var/log/auth.log.
I teach a Linux basics course and each term I have the problem of students who do an su to become root, then rather than exiting, they su again to go back to their regular account. The trouble is identifying when someone has done this (they usually don't remember). The "who" command only shows login shells (AFAIK) so it does not reveal when someone has su-ed.
Does anyone know of a way to list all of the users currently logged in, including when someone has su-ed to become another user?
--
[EMAIL PROTECTED]
