Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Capturing all command history

Posted on 2005-04-11
8
Medium Priority
?
463 Views
Last Modified: 2012-08-13
Hi all,
Client wants to capture an audit trail of all commands executed on their server (especially commands as root....)

They currently have process accounting enabled, so the 'lastcomm' command is available, but it only give the executable name, not the full command line. I know that there's also a .bash-history for each user, but it seems that a user could probably edit that file and erase their tracks pretty easily. The 'audit daemon' is something that I haven't played around with yet, but this is a RHEL 3 server, so that would be available.

Is there a simple way to get what the user wants?

thanks.
0
Comment
Question by:JammyPak
  • 4
  • 3
8 Comments
 
LVL 9

Expert Comment

by:David Piniella
ID: 13758838
check out sudoscript: http://egbok.com/sudoscript/
0
 
LVL 9

Expert Comment

by:David Piniella
ID: 13758842
i believe that the bash history is re-written on logout, so a user couldn't just delete it (although you can set an environment variable to not log commands to history at all...check the bash man page for info on that.)
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1800 total points
ID: 13760498
> ..  audit trail of all commands executed on their server (especially commands as root....)
impossible with standard Linux. Dot.

you need something like SELinux
http://sf.net/projects/selinux/
http://www.nsa.gov/selinux/
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 9

Assisted Solution

by:David Piniella
David Piniella earned 200 total points
ID: 13761343
agreed that a standard linux (like RH) will not be able to do this very well; if someone runs a shell as a process, your audit trail stops right there (the logs will show user ran "bash" and won't show you what they ran _inside_ that shell...)

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13761743
the keypoint is not the shell, but user root
0
 
LVL 9

Expert Comment

by:David Piniella
ID: 13762157
yes, but running a shell-within-a-shell will bypass any logging for _any_ user, including root. the bottom line is that if you don't trust the users on the machine (especially whoever is running as root) then they should not have access to that machine at all.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13762635
the user is root, it doesn't matter which program is started by root 'cause root can always change anything (except for example see SELinux)
0
 
LVL 16

Author Comment

by:JammyPak
ID: 13763424
thanks guys...kinda what I suspected, but thanks anyway.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question