topic Re: capturing root executed commands in Operating System - HP-UX

capturing root executed commands

S.S. — Fri, 05 Feb 2010 04:22:12 GMT

Hi All,

May i know how can we capture logs for the root executed commands?
Is it any way to capture.

Thanks!

Re: capturing root executed commands

Kapil Jha — Fri, 05 Feb 2010 04:25:12 GMT

cd ~root
ls -lart
there would be .history file which would be having all the command run by root.

I suppose ur company should be having other security tools for this.
one is called powerbroker.

BR,
Kapil+

Re: capturing root executed commands

R.K. # — Fri, 05 Feb 2010 04:31:06 GMT

Hi S.S.,

Apart from /.sh_history file as mentioned, may be this might also help you:

If you are doing any activity you can capture all of your commands and their outputs as executed that you see on screen to any specific file.

---------------------
#>script /tmp/commands
Script started, file is /tmp/commands

--
command1
command2
--

#>exit
Script done, file is /tmp/commands
---------------------

So, in file /tmp/commands all you screen outputs will be captured.

# more /tmp/commands
--
commands and outputs by you
--

Regds..

Re: capturing root executed commands

S.S. — Fri, 05 Feb 2010 05:14:21 GMT

Hi,

My previous administrator was used to capture the root executed commands in syslog.

May i know how we can do this?

Re: capturing root executed commands

Michael Steele_2 — Fri, 05 Feb 2010 06:15:18 GMT

Hi

ALL root commands ???

Really.

Some commands like LVM are inheirtently captured in syslog, vgcfgbackup for instance.

Can you provide an example?

Re: capturing root executed commands

VK2COT — Fri, 05 Feb 2010 07:09:21 GMT

Hello,

You did not specify for which version
of HP-UX you need it.

HP-UX 11.31 has new Audit system and RBAC
extensions. So, the answer is YES.
You can capture logs for the root-executed
commands.

For example, you can set up KEYSTROKE LOGGING.

Perform the following steps after installing
the RBAC product depot:

1. Add entries in the PAM configuration
file (/etc/pam.conf):

login session optional libpam_keystroke.so.1
dtlogin session optional libpam_keystroke.so.1
sshd session optional libpam_keystroke.so.1
rcomds session optional libpam_keystroke.so.1
OTHER session optional libpam_keystroke.so.1

This module may be configured for one or
more services, depending on the intended
logging. For more information on pam.conf
and the syntax of the entries, refer to
pam.conf(4).

2. Enable keystroke logging in /etc/rbac/rbac.conf:

KEY_STROKE_LOGGING = 1

3. Create a keyfilter file under /etc/rbac
specifying what users to log. For more
information on customizing specific policies,
see key_filter(4m).

Subsequent access by the targeted users will
cause a keystroke log file to be generated
and stored in the location specified in
/etc/rbac/rbac.conf file. Note that in the
event that a user has privileged access,
they may be able to modify these files. It is
recommended that modification of the files be
monitored (for example, by HP-UX Host IDS)
or that they periodically be transferred off-host.

In short, HP-UX 11.31 can do a lot.
I would hope you use the latest version of HP-UX for many reasons.

VK2COT

Re: capturing root executed commands

S.S. — Fri, 05 Feb 2010 07:33:40 GMT

Hi,

My OS version is HP-UX 11.11

Model rp844o

Thanks!

Re: capturing root executed commands

Jupinder Bedi — Fri, 05 Feb 2010 07:40:43 GMT

.history or .shellname_history suppose if you are using bash shell you will find in

.bash_history

or simple run the history commnad on the hash prompt and if you want to see last 100 line use following

#history -100

but this will not 100% perfect solution because if someone is running any script or any loop it will not show you in the history

and also please assign the points to those who came for your help here .

Re: capturing root executed commands

Johnson Punniyalingam — Fri, 05 Feb 2010 07:44:08 GMT

if you are running "HPUX 11.11"

you need write script which can capture "root" commands from .sh_history file, also you need increase .sh_history file length and place script under the .profile of "root"

BTW, Check with you. do like to capture your commands, while your working ? so that you can refer back ?

Re: capturing root executed commands

Michael Steele_2 — Fri, 05 Feb 2010 08:04:49 GMT

Hi

Please don't do down the .sh_history rat hole. There a couple of reasons for not doing this and going either to power broker or using a 'script' file.

In /root/.profile add the command script > file just like recommended above. Why? The .sh_history file is very hard to manage. You can get the size right but it will load into vi or save from vi due to its format and you're going to want to do this some day. Nor will and date stamps or other navigational landmarks easily write into it.

The only issue with using 'script' is one more exit.

Re: capturing root executed commands

Michael Steele_2 — Fri, 05 Feb 2010 08:09:34 GMT

Sorry, typo.

"...will NOT load into vi well or save from vi WELL due to its ..."

So, use DATE=$(date %H%M%S) (* this is approx. to get 020310_HHMMSS *) to create an extension for

script > file_name_$DATE

Re: capturing root executed commands

S.S. — Fri, 05 Feb 2010 08:49:19 GMT

Hi Johnson,

To refer back.

Also, currently after drawing root password from manager we usually take a screenshots of what we have done and need to submit when returning the root password.

thanks!

Re: capturing root executed commands

Johnson Punniyalingam — Fri, 05 Feb 2010 10:03:21 GMT

>>To refer back<<

This makes life easier, -->

Give you a trick, c'mon.

Do you happen use "Putty" ? ->Session logging
please refer to attachment do give some ideas,

This how I do , while working, because we need sent logs for review for my manager, hope this helps .:)

Thanks,
Johnson

Re: capturing root executed commands

Johnson Punniyalingam — Fri, 05 Feb 2010 10:06:39 GMT

Check the attachment,

Regards,
Johnson

Re: capturing root executed commands

S.S. — Mon, 08 Feb 2010 05:52:07 GMT

Thank you...:-)