logging root activity

[chali2na]

Another Sarbanes-Oxley related question.......

We have locked down root access recently. Admin users can only 'su' to gain root access. Now auditors have asked us to log all activity done by users after they su to root. Does AIX have any native tools to do this, or are there any good third party tools that can accomplish this?

 

[KenCunningham]

You could save the .sh_history file of the session as part of the logoff routine. Alternatively, wrap the session in a script (man script). Both of these of course won't prevent unscrupulous root users from modifying or deleting things in the record that they don't want you to know about. There are probably other more secure methods that someone will come along with soon.

 

[columb]

Our answer - from /etc/profile

HIST_ID=$(who am i | awk '{print $1}')
HIST_TTY=$(tty | awk -F / '{print $NF}')
export HISTFILE=/var/hist/${HIST_ID}_${HIST_TTY}_$(date +"%d.%m.%y")
touch $HISTFILE 2>/dev/null
chmod 666 $HISTFILE 2>/dev/null
export HISTSIZE=50000

but I'm sure there are others who can tidy up my code.
BTW Ken's caveat about users ability to edit their own shell histories still stands

Columb Healy

 

[columb]

Another thing about usind shell scripts is that the malicious user can easily hide their tracks. If you were to see in the shell history the lines

vi myscript
chmod 755 myscript
./myscript
rm myscript

you have no idea what myscript actually did.

However it helps keep the audit team off your back!

Columb Healy