cancel
Showing results for 
Search instead for 
Did you mean: 

log all root cmds

dom kris
Frequent Advisor

log all root cmds

Hi,

this is probably a classic.
Is there a way to log all cmds executed by root?
We have numerous systems where a lot of people have root access (bad situation but for the moment it can't be helped).
I would like to log all the cmds that are executed by root (without activating auditing)
Currently what we are doing is that we log everything to the shell history with the PID in the shell history file name.
This works fine until the 'su' cmd is used (or when somebody puts the cmds in a script and runs the script).

Any idea's welcome

Kris
13 REPLIES
Johan Brusche
Honored Contributor

Re: log all root cmds


Kris,

You already excluded the only valid idea, so why bother for the rest.

Johan.

_JB_
Mobeen_1
Esteemed Contributor

Re: log all root cmds

Kris,
Looks like you are already doing it :-). Most if not all the folks do this by enforcing 'su' and log everything to the history file on that specific shell.

I would suggest that you stick to what you are doing and in the event you have 'telnet' enabled for the root account, disable the same. This would make sure that all the folks who need to login as root will log in as themselves and then su to root

take care

Mobeen
dom kris
Frequent Advisor

Re: log all root cmds

Hi Johan,

I messed around a bit with auditing but I did not find any way to only audit cmd's ran by root.
Also, I did not get it work the way I wanted. I read the doc about a zillions times.
When I added the 'open' syscall to list of calls to audit, every file open was audited, not only the onces I tagged with auditmask resulting in huge audit files.
Also, I don't know if you can use auditing without activating Enhanced Security (which I don't want yet).

Basically, if could configure auditing to only audit a few files and start auditing without En.Sec, I would be very happy.

Kris


dom kris
Frequent Advisor

Re: log all root cmds

Not really,

the problem is that people log on with telnet as root (no way to disable this right now although we are working on it).
Everything is logged to the hist file but if they do a 'su root' then there is no more loggin in the hist file.
People who know about the logging scheme will actually use this to circumvent it.
So, I need a method to always log the cmd.

Kris
Johan Brusche
Honored Contributor

Re: log all root cmds


Anybody with root priviledges that has something to hide (be it a unvoluntary mistake or a malicious action) can delete all your logging, including the history file and the audit logs.

The only valid idea is to allow only "one" person knowing the root passwd.

Johan.

_JB_
Michael Schulte zur Sur
Honored Contributor

Re: log all root cmds

Hi,

look into man script
if this is perhaps what you need.

greetings,

Michael
Michael Schulte zur Sur
Honored Contributor

Re: log all root cmds

Hi,

of course with root priviledges you really have no security.

If the others need root for specific tasks you may look into sudo or dop.

what os version have you got?

greetings,

Michael
Ann Majeske
Honored Contributor

Re: log all root cmds

As others have said, any time you give someone root access they have the privilege to circument any controls or logging that you try to impose.

You absolutely can run audit without enabling Enhanced Security. To get auditing to work only on specific files you need to enable object selection. You can't really audit all commands run by root, because this will audit all commands run by the 0 uid, which includes all daemons, etc. To get the accountability you need you have to have people log in as themselves first and su to root. The problem with this is that its basically voluntary, because if they have the root password they can find a way to circumvent it, so you have to trust that your people will follow the proper procedure.

The only way to have control and accountability for these people is to find a way to give them the privilege that they need to do what they need to do without giving them the root password and full root privileges. There are several ways to do this that have already been mentioned here, including sudo and dop.

Ann
dom kris
Frequent Advisor

Re: log all root cmds

Helo Ann,

thanks for the feedback.
I have tried to set up auditing in the past but always failed miserably.
I always end up auditing everything not only the files I want. If add the 'open' call and use auditmask to activate object selection on some files, all opens on all files are always logged resulting in enormous log files.
I only want to audit a change on the most common system files and some generic system operation (like adding or deleting a user).
I read through the security guide and the man pages (several times) and used the sysman to set it up.
Also, when I use the system setup at a certain point sysman shows me the list of objects that are choosen for object selection, in this list there are names of directories (like e.g. /). I don't know how directories are audited. If you add a dir, are all the files in the dir and subdirs automatically selected for auditing?
I have looked on the net go more info about auditing on Tru64 but there seems to be very little information available.

Kris

PS.: I am using Tru64 v5.1B-pk3
Michael Schulte zur Sur
Honored Contributor

Re: log all root cmds

Hi,

in case you haven't been here, look at chapter 3 of security administation:
http://h30097.www3.hp.com/docs/pub_page/V51B_DOCS/ADM_DOCS.HTM

greetings,

Michael
dom kris
Frequent Advisor

Re: log all root cmds

Thanks Michael,

I printed that book out a few months ago and started to setup auding like they described in the book.
I reconfigured auditing. Then I did a 'find / -exec audtmask -q {} \;' to get the list of all the tagged objects.
Then I used auditmask to de-activate the object selection on the files I found via the 'find'.
Then I used the auditmask to set object selection on only /etc/host.
Now after modifying /etc/host I get an entry in the audit log.
When I modify /tmp/test.txt I do not get an entry (before I did)
That's why I am suspecting that if you add a directory to object selection that all objects under that dir (even recursively ) are implicitely added.
Another annoying thing is that in the audit logs I see the inode number of the file that has been changed (ftruncate call) and not the file but since the auditlog also logs the filesystem, I can find the file using the find cmd.

By the way, do you have any idea how many people there are actually using auditing on Tru64? I have asked around (even at HP internally) but there seem to be very few customers who use it.

Kris Dom
Michael Schulte zur Sur
Honored Contributor

Re: log all root cmds

Hi,

we do not use auditing.
Why do so many user have the root password?
As I said before, if they only need it for specific tasks, you should think about sudo or dop. Do you know the script command?

greetings,

Michael
dom kris
Frequent Advisor

Re: log all root cmds

The fact the a lot of users have the root passwd because the company grew very fast (from 10 to 1500 people in only a few years) so there was very little time to put a decent security policy in place.
Basically, what I want to do now is to first contain the problem and then gradually fix it. I think that sudo is a good solution but I first need to know what is happening on the systems before I can put something like that in place.
Note that next to Tru64, there are also other Ux's and ideally, every solution must be generic so that it is managed and maintened the same way on every unix flavor.