Operating System - HP-UX
1747984 Members
4067 Online
108756 Solutions
New Discussion юеВ

capturing root executed commands

 
SOLVED
Go to solution
S.S.
Super Advisor

capturing root executed commands

Hi All,

May i know how can we capture logs for the root executed commands?
Is it any way to capture.

Thanks!
14 REPLIES 14
Kapil Jha
Honored Contributor

Re: capturing root executed commands

cd ~root
ls -lart
there would be .history file which would be having all the command run by root.

I suppose ur company should be having other security tools for this.
one is called powerbroker.

BR,
Kapil+
I am in this small bowl, I wane see the real world......
R.K. #
Honored Contributor

Re: capturing root executed commands

Hi S.S.,

Apart from /.sh_history file as mentioned, may be this might also help you:

If you are doing any activity you can capture all of your commands and their outputs as executed that you see on screen to any specific file.

---------------------
#>script /tmp/commands
Script started, file is /tmp/commands

--
command1
command2
--

#>exit
Script done, file is /tmp/commands
---------------------

So, in file /tmp/commands all you screen outputs will be captured.

# more /tmp/commands
--
commands and outputs by you
--

Regds..
Don't fix what ain't broke
S.S.
Super Advisor

Re: capturing root executed commands

Hi,

My previous administrator was used to capture the root executed commands in syslog.

May i know how we can do this?
Michael Steele_2
Honored Contributor

Re: capturing root executed commands

Hi

ALL root commands ???

Really.

Some commands like LVM are inheirtently captured in syslog, vgcfgbackup for instance.

Can you provide an example?
Support Fatherhood - Stop Family Law
VK2COT
Honored Contributor
Solution

Re: capturing root executed commands

Hello,

You did not specify for which version
of HP-UX you need it.

HP-UX 11.31 has new Audit system and RBAC
extensions. So, the answer is YES.
You can capture logs for the root-executed
commands.

For example, you can set up KEYSTROKE LOGGING.

Perform the following steps after installing
the RBAC product depot:

1. Add entries in the PAM configuration
file (/etc/pam.conf):

login session optional libpam_keystroke.so.1
dtlogin session optional libpam_keystroke.so.1
sshd session optional libpam_keystroke.so.1
rcomds session optional libpam_keystroke.so.1
OTHER session optional libpam_keystroke.so.1

This module may be configured for one or
more services, depending on the intended
logging. For more information on pam.conf
and the syntax of the entries, refer to
pam.conf(4).

2. Enable keystroke logging in /etc/rbac/rbac.conf:

KEY_STROKE_LOGGING = 1

3. Create a keyfilter file under /etc/rbac
specifying what users to log. For more
information on customizing specific policies,
see key_filter(4m).

Subsequent access by the targeted users will
cause a keystroke log file to be generated
and stored in the location specified in
/etc/rbac/rbac.conf file. Note that in the
event that a user has privileged access,
they may be able to modify these files. It is
recommended that modification of the files be
monitored (for example, by HP-UX Host IDS)
or that they periodically be transferred off-host.

In short, HP-UX 11.31 can do a lot.
I would hope you use the latest version of HP-UX for many reasons.

VK2COT
VK2COT - Dusan Baljevic
S.S.
Super Advisor

Re: capturing root executed commands

Hi,

My OS version is HP-UX 11.11

Model rp844o

Thanks!
Jupinder Bedi
Respected Contributor

Re: capturing root executed commands

.history or .shellname_history suppose if you are using bash shell you will find in

.bash_history

or simple run the history commnad on the hash prompt and if you want to see last 100 line use following

#history -100

but this will not 100% perfect solution because if someone is running any script or any loop it will not show you in the history

and also please assign the points to those who came for your help here .
All things excellent are as difficult as they are rare
Johnson Punniyalingam
Honored Contributor

Re: capturing root executed commands

if you are running "HPUX 11.11"

you need write script which can capture "root" commands from .sh_history file, also you need increase .sh_history file length and place script under the .profile of "root"

BTW, Check with you. do like to capture your commands, while your working ? so that you can refer back ?
Problems are common to all, but attitude makes the difference
Michael Steele_2
Honored Contributor

Re: capturing root executed commands

Hi

Please don't do down the .sh_history rat hole. There a couple of reasons for not doing this and going either to power broker or using a 'script' file.

In /root/.profile add the command script > file just like recommended above. Why? The .sh_history file is very hard to manage. You can get the size right but it will load into vi or save from vi due to its format and you're going to want to do this some day. Nor will and date stamps or other navigational landmarks easily write into it.

The only issue with using 'script' is one more exit.
Support Fatherhood - Stop Family Law