topic Re: process history in Operating System - HP-UX

process history

peterchu — Mon, 14 Feb 2005 04:33:13 GMT

We have some EDP members have the root password , , I found a command have run by root user , now I want to trace who ( or IP address ) have run this command , I use "history" and /.sh_history can found the command history but can't let me know who run it , could suggest how can I know who use the command previously ? thx.

Re: process history

Robert-Jan Goossens — Mon, 14 Feb 2005 04:38:39 GMT

Hi,

If accounting is enabled you could use the lastcomm command.

Best regards,
Robert-Jan

Re: process history

Cem Tugrul — Mon, 14 Feb 2005 04:55:21 GMT

Hi,
As an addition for Paul's reply
you can put these lines in .profile of root;

HistUser=`who am i | awk '{print $1}'`
export HISTFILE=$HOME/.hist_${HistUser}

This creates a file in / like;

.hist_username
so you can easily monitor who su to root.

Good luck,

Re: process history

Cem Tugrul — Mon, 14 Feb 2005 04:58:03 GMT

opss,

Robert's reply...

Re: process history

peterchu — Tue, 15 Feb 2005 00:57:13 GMT

thx replies , i will set it up as suggestions , but if I want to check the history that has already made ( eg. one week ago ) , is it possible ? thx

Re: process history

Ravi_8 — Tue, 15 Feb 2005 01:01:04 GMT

Hi

Unless the system is trusted you can't

Re: process history

Rolf Modin — Tue, 15 Feb 2005 07:22:59 GMT

Cem:s suggestion to modify the .profile for root was a very nice one. You get a separate history file for every one that log on as root, and in each the command history for that person!

But I suppose there is no way to protect the files so that the root-user who is ashamed of his doings can not hide what he has done?

Hm.. maybe logging the same information as in the .history_ files, to a remote log-server with logger commands?

Hm...?

Re: process history

Peter Godron — Tue, 15 Feb 2005 07:31:21 GMT

Hi,
if you have multiple users logging into the root account directly and you have not had the log split or command audit on, there is no way you can say who issued a command.

We always force users to log on with their own id and then su to root. Direct root access is disabled, bar from the console.
So we can trace who was logged on as root at any given time from the sulog.

Regards

Re: process history

Bill Hassell — Tue, 15 Feb 2005 07:36:32 GMT

Giving the root password to non-system administrators is a huge mistake. There is no log kept of commands by user's IP address. The only solution is to implement sudo and change the root password. Now, no one logs in as root and if the user has permission to run a particular command (part of the sudo config file), it will be logged by user, date/time and the actual command. Several sysadmins actually go so far as to eliminate root logins by automatically changing the root password to a random string every 5 minutes--no one knows the root password and now all system administration is via sudo--with complete traceability and instant control (such as removing a particular user's sudo privileges).