topic Re: SOX and Shell History in Operating System - HP-UX

SOX and Shell History

Eric Buckner — Thu, 14 Oct 2004 14:48:35 GMT

Hi all!

Our Security team is wanting us to track our shell history files daily for Sarbanes-Oxley compliance.

We long ago separated our root history files utilizing 'logname' and building HISTFILE based on that. So we know who is doing what since you can't get to root except by sudo or the console.

Our problem is that we can't figure out a good way to just pull out today's commands from the history file. Well the easy way is to start a new one each day.... But then we don't have access to our history from the previous day.

So I thought I would just write an entry to the history file that would actually be a NO-OP command that would signify login in and logout.

Well I am getting it into the file easy enough using tee. But I am missing something in the format of the file that is really horking up the first command after relogin.

Any ideas? Any better ways of doing this?

Thanks!
Eric

Re: SOX and Shell History

Geoff Wild — Thu, 14 Oct 2004 14:54:52 GMT

Can you post your .profile?

I tried print -s - but it somehow wiped out entries:

# Set up logging
HISTFILE=${HOME}/.sh_history_`who am i|awk '{ print $1}'`
export HISTFILE
# print -s makes a mess
#print -s $(date) >>$HISTFILE
date >>$HISTFILE
HISTSIZE=500
export HISTSIZE

The only way I see you doing this is to make a copy dailey, then parse out the info you need in a separate file...

Rgds...Geoff

Re: SOX and Shell History

Eric Buckner — Thu, 14 Oct 2004 15:04:59 GMT

Actually this pretty straight forward. I am not attempting to log the logins, just the logouts.

This is the section that does our history file stuff:

###
###
export WHOROOT=`/usr/bin/logname`
if [ -z "$WHOROOT" ]; then
WHOROOT=`echo $(who -Rm) | awk '{print $1}'`
fi
if [ "$WHOROOT" = "root" -a "`tty`" != "/dev/console" ]; then
echo "\n\nYOU ARE LOGGED IN AS ROOT!!!"
echo "PLEASE LOG IN AS YOURSELF AND "
echo "ISSUE THE SUROOT COMMAND!!!\n\n"
ISROOT=1
else
ISROOT=0
fi

export PS1="
`echo "["'$PWD'"]"`
$LOGNAME on `uname -n` -# "

typeset -l ANSWER=""
while [ -z "$ANSWER" ]; do

if [ "$WHOROOT" != "root" ]; then
ANSWER=$WHOROOT
else
echo "Who are you? \c"
read ANSWER
fi
case $ANSWER in
eric|ebuckner)
export HISTFILE=~/.sh_history.eric
continue;;
phil|pgifford)
export HISTFILE=~/.sh_history.phil
continue;;
*)
export HISTFILE=~/.sh_history.$ANSWER
continue;;
esac
done

trap $HOME/.logout 0

###
###

The reason for multiple answers in the case, is so we can identify ourselves when logging in as root on the console so we have access to our own histories.

Now I know the history file has nulls in it but can determine what else it has in it that is being used as line control so I am experimenting w/ this format.

This is the .logout script:
echo "\0000logout at `date`\n\0000" | tee -a $HISTFILE

We have a script called logout that does absolutely nothing.

Re: SOX and Shell History

Eric Buckner — Thu, 14 Oct 2004 15:10:44 GMT

Geoff,
Hey man you actually have it. You just don't want to redirect print -s .

I just changed my .logout to:

print -s "logout at `date`"

and it is doing exactly what I want.

Repost so I can give you some more points.

Re: SOX and Shell History

Sanjay_6 — Thu, 14 Oct 2004 15:13:57 GMT

Hi Eric,

run a cron job to append in the .sh_history file.

01 00 * * * echo `date` >>/.sh_history

Hope this helps.

Regds

Re: SOX and Shell History

Geoff Wild — Thu, 14 Oct 2004 15:30:46 GMT

Make sure you test the print -s

I found I lost a bunch of my history....

But you are not redirecting - how are you doing it?

This is waht I determined:

date >>$HISTFILE

Which causes the first command to be appeneded to the date in the .sh_history file

I figured out a way to get the date on it's own line:

print -s $(date) >>$HISTFILE

The -s option causes the arguments to be written onto the history file instead of standard output.

Rgds...Geoff

Re: SOX and Shell History

Eric Buckner — Thu, 14 Oct 2004 15:42:23 GMT

Geoff,
You don't need to redirect. As you said the print -s handles putting it in the log file nicely.

I am doing this is my .profile:
print -s "LOGIN - `date '+%E%m%d'`"

and my .logout
print -s "LOGOUT - `date '+%E%m%d'`"

I then created 2 scripts called LOGIN and LOGOUT that only have an exit in them to protect me from accidently attempting to execute them.

Sanjay,
While the redirection of date isn't a good idea, I can see using the cron entry to mark the beginning and end of day using a print -s rather than having multiple entries everytime someone logs in.

Re: SOX and Shell History

Geoff Wild — Mon, 18 Oct 2004 10:00:39 GMT

Eric,

Nice work...

Now, I'm trying to run this from root's cron at midnight:

#!/bin/sh
#
# script to add a date stamp to the /.sh_history_$USER
# for those su'ed to root
# Only run from cron once a day
# gwild 2004-10-15
# set -x

# find parent process of all users signed in as root
for i in `ps -ef |grep "\-sh"|awk '{print $3}'`
do
# just grab the user name
USER=`ps -ef |grep $i |grep -v root|awk '{print $1}'`
# point to their .sh_history file
typeset -x HISTFILE=${HOME}/.sh_history_$USER
# time stamp it
print -s "`/usr/bin/date` $USER still logged in as root..."
unset HISTFILE
done

Unfortunatley, the print -s outputs to the first user in the list only - for all users...

tail /.sh_history_gwild

Mon Oct 18 08:55:00 MDT 2004 gwild still logged in as root...
Mon Oct 18 08:55:00 MDT 2004 user2 still logged in as root...
Mon Oct 18 08:55:01 MDT 2004 user3 still logged in as root...
ls -altr
tail .sh_history_gwild

Output with set -x:

+ ps -ef
+ grep \-sh
+ awk {print $3}
+ + ps -ef
+ grep 8983
+ grep -v root
+ awk {print $1}
USER=gwild
+ typeset -x HISTFILE=//.sh_history_gwild
+ /usr/bin/date
+ print -s Mon Oct 18 08:53:16 MDT 2004 gwild still logged in as root...
+ unset HISTFILE
+ + ps -ef
+ grep 737
+ grep -v root
+ awk {print $1}
USER=user2
+ typeset -x HISTFILE=//.sh_history_user2
+ /usr/bin/date
+ print -s Mon Oct 18 08:53:16 MDT 2004 user2 still logged in as root...
+ unset HISTFILE
+ + ps -ef
+ grep 12746
+ grep -v root
+ awk {print $1}
USER=user3
+ typeset -x HISTFILE=//.sh_history_user3
+ /usr/bin/date
+ print -s Mon Oct 18 08:53:16 MDT 2004 user3 still logged in as root...
+ unset HISTFILE

Any ideas?

Rgds...Geoff

Re: SOX and Shell History

Eric Buckner — Tue, 19 Oct 2004 12:12:29 GMT

Geoff,
Yeah I had the same problem. I gave up on it and put in an AT job for what I needed. I figured I will come back to it later.

It seems like it is binding the HISTFILE the first time around and even though you unset it, it still has a lock on the inode and doesn't release it.

One option would be to put the part that sets the HISTFILE and does the print -s in a subshell. That would possibly allow it to release the inode.

Re: SOX and Shell History

Eric Buckner — Tue, 19 Oct 2004 12:27:41 GMT

Geoff,
I got this working. Unfortunately I can't think of a cleaner way to do it than 2 separate scripts so here they are:

script1.sh:
#!/usr/bin/sh

ADMINS="you me"

for NAME in $ADMINS; do

HIST=/root/.sh_history.$NAME
script2.sh $HIST

done
### End of script1.sh

script2.sh:
#!/usr/bin/sh

export HISTFILE=$1

print -s "### Test"

exit
### End of script2.sh

You can add what ya need in there for checking who is logged in and what not.

Re: SOX and Shell History

Geoff Wild — Tue, 19 Oct 2004 12:43:27 GMT

Eric, check out the solution in my thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=722093

Rgds...Geoff

Re: SOX and Shell History

Eric Buckner — Tue, 19 Oct 2004 13:18:07 GMT

Geoff,
GREAT! I was getting there, and love the subshell thing in the function.

One thing I would suggest because it bit me a few minutes ago while testing this. Make sure you put some #'s at the beginning of your print -s. ie print -s "### `date`". That way if you do try to execute it, it is a comment and won't work.

Re: SOX and Shell History

Geoff Wild — Tue, 19 Oct 2004 13:52:50 GMT

Eric - good idea on the ###'s

I modified my script and also added to root's .profile:

# Set up logging
HISTFILE=${HOME}/.sh_history_`who am i|awk '{ print $1}'`
export HISTFILE
print -s "### login at `/usr/bin/date` ###"
#date >>$HISTFILE
HISTSIZE=500
export HISTSIZE

Rgds...Geoff