HPE Community
Operating System - HP-UX
1752565 Members
5372 Online
108788 Solutions
New Discussion юеВ

Re: How best to handle logging of indiv users to root via su or sudo

 
SOLVED
Go to solution
TwoProc
Honored Contributor

тАО03-19-2008 07:18 AM

тАО03-19-2008 07:18 AM

How best to handle logging of indiv users to root via su or sudo

Does anyone have tips on how to handle logging of individual users' commands, etc as root after coming in from su or sudo?

Is there some .profile script (I think I've seen them in the past) that somehow know who I came in from and as, and then would generate a history file of each command. And secondly, a way to timestamp that stuff easily?

Best practices, tips, and scripts (especially the easiest ones to implement) are appreciated.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
4 REPLIES 4
Bernie Vande Griend
Respected Contributor

тАО03-19-2008 08:31 AM

тАО03-19-2008 08:31 AM

Solution

Re: How best to handle logging of indiv users to root via su or sudo

We have 2 ways we handle this. Mostly we use rootsh, a 3rd party product and tie it into sudo:
%admin ALL=NOPASSWD: /usr/local/bin/rootsh -i -u root
I then have an alias called root for that command to run through sudo.
Then we stop direct root logins and force users to use sudo to get to root. rootsh is basically a screen capture tool that logs all the commands and the output of them to a log file for each user. It can also tie into syslog to send the information to a dedicated syslog server. We also do this for other generic signons used by specific applications.

For one account that has some control codes that don't work with the rootsh product, we put this in the .profile for that user:
HISTSIZE=2000 HISTFILE=$HOME/.sh_history_`who am i|awk '{ print $1}'`

export HISTFILE HISTSIZE
trap 'date "+# %c" | read -s' debug

This creates a seperate HISTFILE for each user that accesses that ID. Then we force access to that ID through sudo.
Ye who thinks he has a lot to say, probably shouldn't.
Reply
TwoProc
Honored Contributor

тАО03-19-2008 12:45 PM

тАО03-19-2008 12:45 PM

Re: How best to handle logging of indiv users to root via su or sudo

Thanks Bernie for the reply.

So, your code relies on a feature of "who am i" that gives your logged in user id (not root) from whence you sudo'd from?

We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
Michael Steele_2
Honored Contributor

тАО03-19-2008 01:35 PM

тАО03-19-2008 01:35 PM

Re: How best to handle logging of indiv users to root via su or sudo

My company used first a product called aurora and later another product called Amity. I perfer the aurora product. Aurora works by spawning a process for every remote console session and stored all of the input and output from these sessions.

Note, that both require an addional serial connection into the console. And this is typical with what your wanting to do. So factor in cable and stuff.

http://www.eng.auburn.edu/~doug/console.html

For the Aurora serial controller:

http://auroratech.com/uploadcache/pres_f&c_division_overview_8_2005.pdf

I can't find anything on Amity. I wonder if its proprietary to SBC.

Support Fatherhood - Stop Family Law
Reply
Bernie Vande Griend
Respected Contributor

тАО03-20-2008 06:53 AM

тАО03-20-2008 06:53 AM

Re: How best to handle logging of indiv users to root via su or sudo

Yeah that code uses who am i to get the original ID that was logged in with so the history file for that user can be used. It works ok but I would prefer to use the option with rootsh where everything is logged. Unfortunately that 1 app for us has control codes that don't work well with it. We use rootsh on different versions of Redhat and AIX as well.

Also for console access we use a product called conserver which we use to access our HP-UX consoles through. You need some kind of terminal server to connect your consoles to and then conserver can attach to the server and port and control access, allow multiple people to watch a console session, and log all activity on the console. So this covers us for logging direct root access from the console and the conserver logs tell us who opened each session. conserver is free, but you'd have the cost for the terminal server and cables.
Ye who thinks he has a lot to say, probably shouldn't.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.