Slashdot Mirror

← Back to Stories (view on slashdot.org)

Keeping Audit Trail of Activities from Root Login?

Posted by Cliff on from the keeping-the-admin-bit-trail dept.

supersam asks: "This question might sound a bit naive, but I am comparatively new at this. So, here goes: on one of my application, based on UNIX platform, I need to implement a mechanism by which, I can trace when an access to ROOT was attempted and what all actions were performed during that session. While info on the first part is probably available through UNIX logs, the second bit is difficult to me. The need is arising because, while it is useful for the support team to know the ROOT password as most of the wonderful things can be done with that access, it also can be a nightmare if something goes wrong and we have to trace the culprit or the root cause of the problem (config files etc...). Is there any way of keeping an audit trail of all activities performed from ROOT login in UNIX which can be traced." Interesting thought. About the easiest way to do this would be to give root it's own custom shell and log everything that shell does. Are there shells that can already do this? Has anyone else implemented such a system? If so, what did you do?

4 of 44 comments (clear)

  1. Related to "Handing Over Root Passwords?" by MrBlack · · Score: 3, Interesting

    This isn't related to the "Handing Over Root Passwords to Consultants" ask slashdot a couple of items below is it? If not there may be a few good suggestions there.

  2. Re:Sudo by staplin · · Score: 4, Interesting

    Though you still have to be careful with a few things...

    like "sudo sh" or "sudo su" where the only log you get is that a particular person ran sh/su, but not what they did after that point.

    But IIRC, you can configure sudo access to specific programs/commands, and can block access to ones that cause problems like this.

    And as long as you send your syslogs to a remote/secure machine you don't have to worry about a sudoer editting the logs to cover up after themselves either.

  3. Re:Sudo by extra88 · · Score: 2, Interesting

    Ditto, sudo is your friend. There are a couple of things to be aware of. First, you can tell sudo to log to a separate file if that's what you want. Second, sudo has a -s switch which gives the user a shell for root. If they use that you won't have a log of what was done in the shell. I believe the use of -s can be disabled.

    There's also the good ol' .history file, you could do something archive the .history file for root.

  4. Modify Bash itself. by ASyndicate · · Score: 2, Interesting

    /etc/shells contains /bin/bash

    I help (in spare time) Administer a shell provider (Techcellent.com)

    What the admin did was modify bash itself.. Making a small portion of the code log something to a very obscure place that cant be accessed by anyone. Try that!.. But I think the line printer Idea is a Very Good Idea and requires the least effort

    --
    This page left intentionally blank.