topic Re: Audit root in Operating System - HP-UX

Audit root

Daniel Ubeda — Thu, 29 Jul 2004 08:44:19 GMT

Hi,

I need to audit the access and commands executed from root user, how can I do this ?
And if I need to audit another users ??

I have hp-ux 11.0

thanks

Re: Audit root

RAC_1 — Thu, 29 Jul 2004 09:03:13 GMT

Put the following code in root's .profile.

export HISTFILE=/root/.sh_history.$$
LOGINID=`who am i 2>/dev/null |cut -f1 -d" "`
if [ "$LOGINID" != "" ]
then
who -m -u >/var/adm/security/rootlogs/login.$$
fi
unset LOGINID

This will create the history file as .sh_history.xxxx.
xxxx-is the shell pid.

Anil

Re: Audit root

Chris Wilshaw — Thu, 29 Jul 2004 09:08:09 GMT

I use the following in the root .profile (we don't allow direct root login to the servers, so users have to use su);

export I_AM=`who -m | awk '{print $1}'`
export LOGIN_DATE=`date +%d%m%y`
export HISTFILE=/var/tmp/history/.sh_history.$I_AM.$LOGIN_DATE

This gives me a list of root commands in history files for any user on a given date

eg: if I was to use my test ID to switch to root today, I'd end up with a file

/var/tmp/history/.sh_history.cwtest.290704

Re: Audit root

Geoff Wild — Thu, 29 Jul 2004 10:01:04 GMT

We do this in root's .profile:

# Set up logging
HISTFILE=${HOME}/.sh_history_`who am i|awk '{ print $1}'`
date >>$HISTFILE
export HISTFILE
HISTSIZE=500
export HISTSIZE

Rgds...Geoff

Re: Audit root

Muthukumar_5 — Thu, 29 Jul 2004 12:43:08 GMT

If you want to audit shell commands which is executed by root or anyother users, then settings are needed in /etc/profile file.

Make a history file and size with HISTFILE and HISTSIZE options.

Use HISTFILE as meanful to identify the users and their logins. Use this settings after the export of $HOME variable to that user.

HISTFILE=$HOME/.sh_history_$(id -un).$$
export $HISTFILE
HISTSIZE=1000
export $HISTSIZE
echo who >> $HISTFILE

You can identify number of logins which made by the user on that day with that PID informations. More history files will be created with PID's.

find / -name ".sh_history_*" -exec ls {} \; | cut -d "." -f 1 | awk '{ print "mv "$1".* "$1 }' | sh

It will redirect all history of user's to $HOME/.sh_history file

Re: Audit root

John Kittel — Thu, 29 Jul 2004 13:09:19 GMT

A comment on responses so far: we also have history set up in root's .profile, - but if the user does "su root" ( leaving out the "-" ) root's .profile is not executed, and so history doesn't get saved. I'm considering moving the history setup to /etc/profile to fix that issue.

Re: Audit root

Daniel Ubeda — Mon, 02 Aug 2004 07:30:00 GMT

another tip is that if two users become root, in the history file the rows are writen not in sequential way, then, I will not follow the command for analisys ...