[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Tracking Root Activities (Linux)

Posted on 2008-11-12
Medium Priority
Last Modified: 2013-12-16
How can track users activities, especially root user under openSuse 10.2. I know about the history command and the .bash_history file. However, I am looking for a log file that records all userss activities with dates, commands, files names and other information...  
I am looking for a best practice method to keep track of users activities?

Thanks in advance

Question by:AbdellahT
  • 4
  • 3
  • 2
  • +1

Accepted Solution

mp022 earned 2000 total points
ID: 22942355
Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access the system via a unique unprivileged account, and use su or sudo to execute privileged commands. Discouraging administrators from accessing the root account directly ensures an audit trail in organizations with multiple administrators.

Root should also be prohibited from connecting via network protocols like SSH.
1 - In /etc/sshd you should set PermitRootLogin=no

The sudo command allows fine-grained control over which users can execute commands using other accounts. The primary benefit of sudo is that it provides an audit trail of every command run by a privileged user (var/log/secure). It is possible for a malicious administrator to circumvent this restriction, but, if there is an established procedure that all root commands are run using sudo, then it is easy for an auditor to detect unusual behavior when this procedure is not followed.
2- Add all administrators to the wheel group
3- Edit the file /etc/sudoers and uncomment the line
%wheel ALL=(ALL) ALL

LVL 19

Expert Comment

ID: 22942961

loads of information on the net, this gives an overview, I'll see if I can find a more detailed doc.

LVL 19

Expert Comment

ID: 22943040
also found this;


You dont want to audit too much or your logs will fill up with unimportant information and you'll then miss something critical.

Just keep auditing to important areas and files.

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

LVL 14

Expert Comment

ID: 22943340
You just need to enable process accounting. The kernel will keep a log of executed commands.  This is a fail-safe way to catch everything, rather than having to know what files you want to watch (which also has its place, of course).

BTW, the first poster is right about sudo, however you do NOT want to enable ALL=ALL.  Any user could then "sudo su -" and become root, and you have no more logging.

Author Comment

ID: 22943667
Thanks guys,

I added admins accounts to the wheel group in the /etc/group file.
I changed the sudors file to read %wheel ALL=(ALL) ALL
Then i created a test account called test. but the test account can still su(not sudo su) to the root account.
I thought by adding users to the wheel group will prevent everybody else from suing to root shell
or is there something i am missing?

LVL 19

Expert Comment

ID: 22943735
su still means you have to enter a password so it's still secure.

you could, I guess, rename it so only admins know to run sume, for example :-)
LVL 19

Expert Comment

ID: 22943753
also, su attempts are logged in /var/log/secure

Expert Comment

ID: 22945650
Poster arrkerr1024 has a point.
Process accounting will help you get what you want. See

That, combined with my previous best practices recommendation, will record who is doing what on the server. Even if the admin uses su to become root. That's because now you can see who issued the command to become root as well as what he did as root.

Of course, any user who becomes root can delete records from the local logs. So, if you are concerned about that, you should be saving these logs to another server where these admins don't have access. From here it becomes a matter of how paranoid do you need to get...

Expert Comment

ID: 22945701
If your test user was able to use sudo, then check the /etc/sudoers file for other group permissions (start with %) assigned there. All of the group permissions should be commented out except for the "%wheel..." line.

Author Comment

ID: 22952391

Hi all

I used the acct tool on openSuse. However it does not provide enough valuable information. For example, the lastcomm utility prints out the following output.

vi                    testuser stderr     0.10 secs Thu Nov 13 11:01
su                   testuser stderr     0.02 secs Thu Nov 13 11:02

I would like to know the arguments passed to the commands for example;The vi command was vi /etc/passwd, but the output I would not be able to know which file the user tried to modified or has modified.

Sudos approach gives better logging.

Sudo.log entry:

Nov 13 11:27:20 : testuser : TTY=pts/0 ; PWD=/var/log ; USER=root  COMMAND=/usr/bin/vi /etc/passwd

The issue I have with sudo is that I want to be able to get the same logging when a user su and get the root shell; wheel users including root does not have to use sudo to execute system commands after they su, therefore I would not be able to track their activities in sudo.log or any other log file. So I thought of prevent su-ing completely, that way I will force everyone to use sudo.

What do you guys think about this?

By the way thanks to you all,



Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last ten+ years I have seen Linux configuration tools come and go. In the early days there was the tried-and-true, all-powerful linuxconf that many thought would remain the one and only Linux configuration tool until the end of times. Well,…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month19 days, 18 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question