- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: How one will come to know what commands he/she...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2013 02:21 AM
04-01-2013 02:21 AM
Hi,
The history option is enabled in the user profile but when we switch the user as root (su – root) how one will come to know what commands he/she executed on the system? Please see as below history of commands for e.g. user – nuttekar, But as you can see once (su – root) is executed no further commands are recorded in history for that user.
ll -lrt
date
exit
cat .sh_history
su - root
testdr1:/home/nuttekar#
Let me explain our requirement came from Auditors…We are total 5 system administrator managing all the HP-UX servers. Direct root login is disabled on the server. We login with our individual Unix ID and then use (su – root) for root access. We are capturing SU logs for individual users who logged in as (su – root) as below,
***** list of switch user (su) on testdr1 ***** Date : 2013/03/24
SU 03/24 11:09 + 2 nuttekar-root
SU 03/24 11:41 + 3 nuttekar-root
But Auditors are asking is it possible to know once individual user logged in as (su – root) to know what commands he/she executed on the system?
Or is there any other solution from where we can come to know the commands executed by that particular individual user once switching as (su - root) on the system.
Thanks,
Narendra
Solved! Go to Solution.
- Tags:
- history
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2013 11:58 AM
04-01-2013 11:58 AM
Re: How one will come to know what commands he/she executed on the system after switching to root.
Once a regular user uses 'su - root' to become root, all commands run then get recorded in the command history for the root user. The user is no longer running anything under their own user ID, everything is now running as root.
You might be able to do something with a custom HISTFILE based on the original user name. For example, adding the following to root's .profile:
export HISTFILE=$(who am i | awk '{print $1}')-history
may generate a history file with the original users name prepended. I haven't tested this, so I'm not sure it will work. The other thing is that there are NOT any time stamps in the command history.
You have to remember that the command history / command recall functions were designed as a convenience for the system administrator so that commands can be recalled easily. These functions were NEVER designed to be function as any sort of auditing facility.
If you need full command history, with time stamps, you might consider a commercial production like Power Broker.
You could have some of the logging capabilities by using sudo, BUT all users MUST then use sudo exclusively for the commands to get logged. If you do something like 'sudo su - root' to become root, then you run into the same thing where commands run as root are NOT logged.
- Tags:
- sudo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2013 02:01 AM