Tracing a users work...

[ratbs75]

Hi,

I want to know if there's a way to trace ALL operations/results done by a user, who can also use SU to root (with the correct password).

I'm root also, it's a question of logging operations done...

I'm running HP-UX 10.20 (non-trusted system, and won't turn that on!)

Thnx in advance

 

[bi]

The only way I know is to log any su activity to the syslog. Root should be not be allowed to do a remote login. This will tell you when someone su's to root.

Then, if you have a large enough history file specified for root user (or any user) you would be able to tell what commands they have executed, but you would not be able to tell what time they executed the command, or, for example, if the vi'd a file, you wouldn't be able to tell what they did to the file.

You might want to consider sudo for users who need to execute commands as root. Sudo keeps logs of what users do as root, but again, you wouldn't know what they did in a file if the vi'd it. sudo has the advantage that it puts a time stamp on when the command was executed, tells you which command was executed and from which PWD. Just be sure to limit sudo so the user can't do sudo su.

 

[ratbs75]

Hi, That hears very nice...... I think I'll have to do that. Just a few questions bout that: Where and How can I seee the content of the SYSLOG? I dunno any commands regarding to such operations.....

Thnx for your help

 

[bi]

Take a look at the file /etc/syslog.conf. That is a file that should specify where your system log is as well as what is logged. Make sure, of course that syslogd is running -- I think it is the default to always run.

For more information, take a look at the man pages for syslogd.

sudo is freeware/shareware you can download from various sites on the internet. Use a search engine and look for sudo. That download will have a file that tells you what needs to be put in your syslog.conf so that any sudo commands are recorded in syslog.

Note that when you boot an HP system, the old syslog is copied to a file (I think it's syslog.OLD) and a new one is started, so if you want to keep more than one old version, you will either have to rename syslog.OLD or change the boot behavior to keep more than one version of an old syslog.

 

[trifo]

Hi!

As far as I understand, you would like to know the exact commands and maybe results of an user with root privilege. This holds a great sec hole, as the user using su is able to alter any logs so can eliminate the clues of his activities.

Better utility is sudo. Whit sudo, you can configure exactly user-by-user and command-by-command permissions. Well, you can configure a specific user to be able to run a specific set of commands. But giving a root shell access to anybody is not a good idea.

--Trifo

 

[ratbs75]

hehe, i know it's not a good idea, but there are a few who access it, they are allowed to, but as they never feedback their doing/work, I have to trace it all myself for reporting. I know that as ROOT he can even delete what i trace on him, but as they are not aware of the possibility, they won't know it, so won't find anything... If there's a way to trace it all into a file in my home directory or where ever but not on LOG files (as they are known).... would be very helpfull... I'd put such commands directly in the root's startup files... thnx for help on that point how to do

 

[trifo]

Well, I have another little tool, but it does not really apply to your environement. I have a script that lets users log theyr activities for themselves in a common file. It is good when you _trust_ the others with root access.

But, if I understand your problem correctly, you do not really trust the mentioned users. Well, probably there is some command logging functionality in bash or ksh. I mean something separate from command history. However it does not solve the problem of subshells and much more.

Oh, I got an idea. Maybe getty ha a logging functionality. This way you should log the whole session stream in a shell independent way. The only problem is that it is really hard to analyse the log.

--Trifo

 

[ratbs75]

The easiest way would be following (just not sure how to do it...):

In crontab: programming a batch which every 5 minutes checks if somebody logged in as root... if yes, the batch would copy the HISTORY file of the used commands into file with the format like HISTFILE_MM_DD_TIME... once done, the histfile is emptied... again 5 mins later, same op... as the histfile was emptied before, it just can catenate or create into a new file its content... what do u think of?

 

[trifo]

Yes, looks almost OK, but
1) there are more shells, and you should ensure them to _create_ command history (in /etc/profile for example)
So the used shell should be taken into account.

2) I do not know if all shells maintains the same format of command history. Probably yes (just a list of lines with commands)

3) sh (Berkley Shell) does not maintain command history at all

4) the user might notice the loss off his command history, so a bit trickier scrips should be used to keep his commands. This needs some more thinking. (inserting a remark line and cutting upon copy maybe)

However your idea can help monitoring activities, but with far less then 100% confidence level.

--Trifo

 

[ratbs75]

Yes, I know it isn't 100% confident way of trace other's root commands, but at least it's a little solution, meanwhile getting a better one... My manager is always saying that there IS a way to control a root, I told him, NO there isn't, a root stays as a root with its full power... so.... only tricky things can be done, but if the other root gets aware of it, the trick needs to be reviewed
No meanwhile, how todo?

 

[trifo]

Well, in Unix system root is the god itself. Secure solutions may only be to use tricky tools to privilegize other users in a strictly controlled way. IMB/AIX has some good looking built in functions to accomplish this.

--Trifo

 

[ratbs75]

ok, thnx for comments.. i just posted to the programmers section of scripting... hope somebud knows

thnx