asked on

Capturing all command history

Hi all,
Client wants to capture an audit trail of all commands executed on their server (especially commands as root....)

They currently have process accounting enabled, so the 'lastcomm' command is available, but it only give the executable name, not the full command line. I know that there's also a .bash-history for each user, but it seems that a user could probably edit that file and erase their tracks pretty easily. The 'audit daemon' is something that I haven't played around with yet, but this is a RHEL 3 server, so that would be available.

Is there a simple way to get what the user wants?

thanks.

David Piniella

check out sudoscript: http://egbok.com/sudoscript/

David Piniella

i believe that the bash history is re-written on logout, so a user couldn't just delete it (although you can set an environment variable to not log commands to history at all...check the bash man page for info on that.)

ASKER CERTIFIED SOLUTION

ahoffmann

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

David Piniella

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ahoffmann

the keypoint is not the shell, but user root

David Piniella

yes, but running a shell-within-a-shell will bypass any logging for _any_ user, including root. the bottom line is that if you don't trust the users on the machine (especially whoever is running as root) then they should not have access to that machine at all.

ahoffmann

the user is root, it doesn't matter which program is started by root 'cause root can always change anything (except for example see SELinux)

JammyPak

ASKER

thanks guys...kinda what I suspected, but thanks anyway.