Community
System Administration
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How one will come to know what commands he/she executed on the system after switching to root.

 
SOLVED
Go to solution
Narendra Uttekar
Narendra Uttekar
Regular Advisor

‎04-01-2013 02:21 AM

‎04-01-2013 02:21 AM

How one will come to know what commands he/she executed on the system after switching to root.

Hi,

The history option is enabled in the user profile but when we switch the user as root (su – root) how one will come to know what commands he/she executed on the system? Please see as below history of commands for e.g. user – nuttekar, But as you can see once (su – root) is executed no further commands are recorded in history for that user.

 

ll -lrt

date

exit

cat .sh_history

su - root

testdr1:/home/nuttekar#

 

Let me explain our requirement came from Auditors…We are total 5 system administrator managing all the HP-UX servers. Direct root login is disabled on the server. We login with our individual Unix ID and then use (su – root) for root access. We are capturing SU logs for individual users who logged in as (su – root) as below,

 

***** list of switch user (su) on testdr1 ***** Date :  2013/03/24

 

SU 03/24 11:09 + 2 nuttekar-root

SU 03/24 11:41 + 3 nuttekar-root

 

But Auditors are asking is it possible to know once individual user logged in as (su – root) to know what commands he/she executed on the system?

 

Or is there any other solution from where we can come to know the commands executed by that particular individual user once switching as (su - root) on the system.

 

Thanks,

Narendra

0 Kudos
Reply
2 REPLIES
Patrick Wallek
Patrick Wallek
Honored Contributor

‎04-01-2013 11:58 AM

‎04-01-2013 11:58 AM

Re: How one will come to know what commands he/she executed on the system after switching to root.

Once a regular user uses 'su - root' to become root, all commands run then get recorded in the command history for the root user.  The user is no longer running anything under their own user ID, everything is now running as root.

 

You might be able to do something with a custom HISTFILE based on the original user name.  For example, adding the following to root's .profile:

 

export HISTFILE=$(who am i | awk '{print $1}')-history

 

may generate a history file with the original users name prepended.  I haven't tested this, so I'm not sure it will work.  The other thing is that there are NOT any time stamps in the command history.

 

You have to remember that the command history / command recall functions were designed as a convenience for the system administrator so that commands can be recalled easily.  These functions were NEVER designed to be function as any sort of auditing facility.

 

If you need full command history, with time stamps, you might consider a commercial production like Power Broker.

 

You could have some of the logging capabilities by using sudo, BUT all users MUST then use sudo exclusively for the commands to get logged.  If you do something like 'sudo su - root' to become root, then you run into the same thing where commands run as root are NOT logged.

 

Reply
coollllllllllll
coollllllllllll
Regular Advisor

‎04-02-2013 02:01 AM

‎04-02-2013 02:01 AM

Solution

Re: How one will come to know what commands he/she executed on the system after switching to root.

Hi ,

 

We use the following in /etc/profile

 

 

 

export LOGINNAME=`who am i | awk '{print $1}'`
export HISTFILE="/var/tmp/hist_`date +%y%m%d.%H%M%S`.${LOGINNAME}.$LOGNAME.$$"

Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.