JammyPak
asked on
Capturing all command history
Hi all,
Client wants to capture an audit trail of all commands executed on their server (especially commands as root....)
They currently have process accounting enabled, so the 'lastcomm' command is available, but it only give the executable name, not the full command line. I know that there's also a .bash-history for each user, but it seems that a user could probably edit that file and erase their tracks pretty easily. The 'audit daemon' is something that I haven't played around with yet, but this is a RHEL 3 server, so that would be available.
Is there a simple way to get what the user wants?
thanks.
Client wants to capture an audit trail of all commands executed on their server (especially commands as root....)
They currently have process accounting enabled, so the 'lastcomm' command is available, but it only give the executable name, not the full command line. I know that there's also a .bash-history for each user, but it seems that a user could probably edit that file and erase their tracks pretty easily. The 'audit daemon' is something that I haven't played around with yet, but this is a RHEL 3 server, so that would be available.
Is there a simple way to get what the user wants?
thanks.
check out sudoscript: http://egbok.com/sudoscript/
i believe that the bash history is re-written on logout, so a user couldn't just delete it (although you can set an environment variable to not log commands to history at all...check the bash man page for info on that.)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
the keypoint is not the shell, but user root
yes, but running a shell-within-a-shell will bypass any logging for _any_ user, including root. the bottom line is that if you don't trust the users on the machine (especially whoever is running as root) then they should not have access to that machine at all.
the user is root, it doesn't matter which program is started by root 'cause root can always change anything (except for example see SELinux)
ASKER
thanks guys...kinda what I suspected, but thanks anyway.