topic Re: How to trace script running bu root in Operating System - HP-UX

How to trace script running bu root

Leo The Cat — Thu, 22 May 2008 12:02:20 GMT

Hi

I give sudo authorization for one script to some users. (This script is executed by sudo as root).

Example: sudo /su22/script/myscript.sh

For the moment users can modify this script and could introduce a forbiden command.
It's impossible for me to avoid this.

How to obtain a trace of all sub commands called inside this script.

Thanks for any propositions
Regards
Den

Re: How to trace script running bu root

Steven E. Protter — Thu, 22 May 2008 12:07:16 GMT

Shalom,

tusc can do it.

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/tusc-7.9/

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/trace-1.6/

The former is much more modern.

SEP

Re: How to trace script running bu root

Leo The Cat — Thu, 22 May 2008 12:10:35 GMT

Is there any tusc equivalent but for AIX ?

Regards Den

Re: How to trace script running bu root

Robert-Jan Goossens — Thu, 22 May 2008 12:13:56 GMT

Hi Den,

Try truss on AIX.

Regards,
Robert-Jan

Re: How to trace script running bu root

Torsten. — Thu, 22 May 2008 12:23:02 GMT

Maybe it is easier to watch the script instead of a trace of this script?

(I have something like "diff" in mind ...)

Re: How to trace script running bu root

Leo The Cat — Thu, 22 May 2008 12:24:50 GMT

Hi Torsten

read the script is not good the user can change it, run and roll back to the previsous version...

Regards
Den

Re: How to trace script running bu root

Torsten. — Thu, 22 May 2008 12:31:32 GMT

I guess it is hard to give somebody root access and then trying to dis-allow something ...

IMHO even if you log the actions to a file somewhere, if somebody really want to do anything, he can also delete these entries from the logs, because (via the script) he is still root ...

Re: How to trace script running bu root

Patrick Wallek — Thu, 22 May 2008 13:27:17 GMT

>>For the moment users can modify this script >>and could introduce a forbiden command.
>>It's impossible for me to avoid this.

Why is that? If you have given access via sudo, then permissions for the script should be set to -r-x------ (500) with root as the owner I see no reason that users should be able to modify this script, unless there is something you're not telling us.

Anything you do in this script could potentially be changed by users, so the point is really moot.

Re: How to trace script running bu root

Leo The Cat — Thu, 22 May 2008 15:16:08 GMT

Hi Patrick

;-) Of course it's possible to do this but i can't because this script is altered by Oracle fix pack installation. My Problem is that i can accept Oracle modification but i need to avoid all personal root commands hidden in the myscript.sh !

Regards
Den

Re: How to trace script running bu root

Torsten. — Thu, 22 May 2008 18:46:59 GMT

Is it really necessary to be root in order to modify / run the script?

If it is, you are lost.
The user can easily prepare a modified shell, add another root user ... everything, because he is root. If you have no idea, you can't know what to looking for.

Trust your users - that's it.

Re: How to trace script running bu root

Eduard Constantinescu — Mon, 07 Jul 2008 12:06:23 GMT

Hi,
just one sugestion:
- U can make a small script, that check the if the script was modif. in the last zxz minutes, and if yes then copy (I mean replace) the modif. one with your original one - and of course, create yourself a log, to check it when U have time;
- create your own policy to use this script, and the rest is history, I think...

eddy