Capturing all command history

Hi all,
Client wants to capture an audit trail of all commands executed on their server (especially commands as root....)

They currently have process accounting enabled, so the 'lastcomm' command is available, but it only give the executable name, not the full command line. I know that there's also a .bash-history for each user, but it seems that a user could probably edit that file and erase their tracks pretty easily. The 'audit daemon' is something that I haven't played around with yet, but this is a RHEL 3 server, so that would be available.

Is there a simple way to get what the user wants?

thanks.
LVL 16
JammyPakAsked:
Who is Participating?
 
ahoffmannCommented:
> ..  audit trail of all commands executed on their server (especially commands as root....)
impossible with standard Linux. Dot.

you need something like SELinux
http://sf.net/projects/selinux/
http://www.nsa.gov/selinux/
0
 
David PiniellaCommented:
check out sudoscript: http://egbok.com/sudoscript/
0
 
David PiniellaCommented:
i believe that the bash history is re-written on logout, so a user couldn't just delete it (although you can set an environment variable to not log commands to history at all...check the bash man page for info on that.)
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
David PiniellaCommented:
agreed that a standard linux (like RH) will not be able to do this very well; if someone runs a shell as a process, your audit trail stops right there (the logs will show user ran "bash" and won't show you what they ran _inside_ that shell...)

0
 
ahoffmannCommented:
the keypoint is not the shell, but user root
0
 
David PiniellaCommented:
yes, but running a shell-within-a-shell will bypass any logging for _any_ user, including root. the bottom line is that if you don't trust the users on the machine (especially whoever is running as root) then they should not have access to that machine at all.
0
 
ahoffmannCommented:
the user is root, it doesn't matter which program is started by root 'cause root can always change anything (except for example see SELinux)
0
 
JammyPakAuthor Commented:
thanks guys...kinda what I suspected, but thanks anyway.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.