HPE Community
Operating System - HP-UX
1825795 Members
2264 Online
109687 Solutions
New Discussion

Re: Audit root

 
SOLVED
Go to solution
Daniel Ubeda
Frequent Advisor

‎07-29-2004 01:44 AM

‎07-29-2004 01:44 AM

Audit root

Hi,

I need to audit the access and commands executed from root user, how can I do this ?
And if I need to audit another users ??

I have hp-ux 11.0

thanks
Daniel
0 Kudos
Reply
6 REPLIES 6
RAC_1
Honored Contributor

‎07-29-2004 02:03 AM

‎07-29-2004 02:03 AM

Solution

Re: Audit root

Put the following code in root's .profile.

export HISTFILE=/root/.sh_history.$$
LOGINID=`who am i 2>/dev/null |cut -f1 -d" "`
if [ "$LOGINID" != "" ]
then
who -m -u >/var/adm/security/rootlogs/login.$$
fi
unset LOGINID

This will create the history file as .sh_history.xxxx.
xxxx-is the shell pid.

Anil
There is no substitute to HARDWORK
Reply
Chris Wilshaw
Honored Contributor

‎07-29-2004 02:08 AM

‎07-29-2004 02:08 AM

Re: Audit root

I use the following in the root .profile (we don't allow direct root login to the servers, so users have to use su);

export I_AM=`who -m | awk '{print $1}'`
export LOGIN_DATE=`date +%d%m%y`
export HISTFILE=/var/tmp/history/.sh_history.$I_AM.$LOGIN_DATE

This gives me a list of root commands in history files for any user on a given date

eg: if I was to use my test ID to switch to root today, I'd end up with a file

/var/tmp/history/.sh_history.cwtest.290704
Reply
Geoff Wild
Honored Contributor

‎07-29-2004 03:01 AM

‎07-29-2004 03:01 AM

Re: Audit root

We do this in root's .profile:

# Set up logging
HISTFILE=${HOME}/.sh_history_`who am i|awk '{ print $1}'`
date >>$HISTFILE
export HISTFILE
HISTSIZE=500
export HISTSIZE

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Reply
Muthukumar_5
Honored Contributor

‎07-29-2004 05:43 AM

‎07-29-2004 05:43 AM

Re: Audit root

If you want to audit shell commands which is executed by root or anyother users, then settings are needed in /etc/profile file.

Make a history file and size with HISTFILE and HISTSIZE options.

Use HISTFILE as meanful to identify the users and their logins. Use this settings after the export of $HOME variable to that user.

HISTFILE=$HOME/.sh_history_$(id -un).$$
export $HISTFILE
HISTSIZE=1000
export $HISTSIZE
echo who >> $HISTFILE

You can identify number of logins which made by the user on that day with that PID informations. More history files will be created with PID's.

find / -name ".sh_history_*" -exec ls {} \; | cut -d "." -f 1 | awk '{ print "mv "$1".* "$1 }' | sh

It will redirect all history of user's to $HOME/.sh_history file
Easy to suggest when don't know about the problem!
Reply
John Kittel
Trusted Contributor

‎07-29-2004 06:09 AM

‎07-29-2004 06:09 AM

Re: Audit root

A comment on responses so far: we also have history set up in root's .profile, - but if the user does "su root" ( leaving out the "-" ) root's .profile is not executed, and so history doesn't get saved. I'm considering moving the history setup to /etc/profile to fix that issue.
0 Kudos
Reply
Daniel Ubeda
Frequent Advisor

‎08-02-2004 12:30 AM

‎08-02-2004 12:30 AM

Re: Audit root

another tip is that if two users become root, in the history file the rows are writen not in sequential way, then, I will not follow the command for analisys ...
Daniel
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.