- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: capturing root executed commands
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 08:22 PM
тАО02-04-2010 08:22 PM
May i know how can we capture logs for the root executed commands?
Is it any way to capture.
Thanks!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 08:25 PM
тАО02-04-2010 08:25 PM
Re: capturing root executed commands
ls -lart
there would be .history file which would be having all the command run by root.
I suppose ur company should be having other security tools for this.
one is called powerbroker.
BR,
Kapil+
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 08:31 PM
тАО02-04-2010 08:31 PM
Re: capturing root executed commands
Apart from /.sh_history file as mentioned, may be this might also help you:
If you are doing any activity you can capture all of your commands and their outputs as executed that you see on screen to any specific file.
---------------------
#>script /tmp/commands
Script started, file is /tmp/commands
--
command1
command2
--
#>exit
Script done, file is /tmp/commands
---------------------
So, in file /tmp/commands all you screen outputs will be captured.
# more /tmp/commands
--
commands and outputs by you
--
Regds..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 09:14 PM
тАО02-04-2010 09:14 PM
Re: capturing root executed commands
My previous administrator was used to capture the root executed commands in syslog.
May i know how we can do this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 10:15 PM
тАО02-04-2010 10:15 PM
Re: capturing root executed commands
ALL root commands ???
Really.
Some commands like LVM are inheirtently captured in syslog, vgcfgbackup for instance.
Can you provide an example?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 11:09 PM
тАО02-04-2010 11:09 PM
SolutionYou did not specify for which version
of HP-UX you need it.
HP-UX 11.31 has new Audit system and RBAC
extensions. So, the answer is YES.
You can capture logs for the root-executed
commands.
For example, you can set up KEYSTROKE LOGGING.
Perform the following steps after installing
the RBAC product depot:
1. Add entries in the PAM configuration
file (/etc/pam.conf):
login session optional libpam_keystroke.so.1
dtlogin session optional libpam_keystroke.so.1
sshd session optional libpam_keystroke.so.1
rcomds session optional libpam_keystroke.so.1
OTHER session optional libpam_keystroke.so.1
This module may be configured for one or
more services, depending on the intended
logging. For more information on pam.conf
and the syntax of the entries, refer to
pam.conf(4).
2. Enable keystroke logging in /etc/rbac/rbac.conf:
KEY_STROKE_LOGGING = 1
3. Create a keyfilter file under /etc/rbac
specifying what users to log. For more
information on customizing specific policies,
see key_filter(4m).
Subsequent access by the targeted users will
cause a keystroke log file to be generated
and stored in the location specified in
/etc/rbac/rbac.conf file. Note that in the
event that a user has privileged access,
they may be able to modify these files. It is
recommended that modification of the files be
monitored (for example, by HP-UX Host IDS)
or that they periodically be transferred off-host.
In short, HP-UX 11.31 can do a lot.
I would hope you use the latest version of HP-UX for many reasons.
VK2COT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 11:33 PM
тАО02-04-2010 11:33 PM
Re: capturing root executed commands
My OS version is HP-UX 11.11
Model rp844o
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 11:40 PM
тАО02-04-2010 11:40 PM
Re: capturing root executed commands
.bash_history
or simple run the history commnad on the hash prompt and if you want to see last 100 line use following
#history -100
but this will not 100% perfect solution because if someone is running any script or any loop it will not show you in the history
and also please assign the points to those who came for your help here .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-04-2010 11:44 PM
тАО02-04-2010 11:44 PM
Re: capturing root executed commands
you need write script which can capture "root" commands from .sh_history file, also you need increase .sh_history file length and place script under the .profile of "root"
BTW, Check with you. do like to capture your commands, while your working ? so that you can refer back ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-05-2010 12:04 AM
тАО02-05-2010 12:04 AM
Re: capturing root executed commands
Please don't do down the .sh_history rat hole. There a couple of reasons for not doing this and going either to power broker or using a 'script' file.
In /root/.profile add the command script > file just like recommended above. Why? The .sh_history file is very hard to manage. You can get the size right but it will load into vi or save from vi due to its format and you're going to want to do this some day. Nor will and date stamps or other navigational landmarks easily write into it.
The only issue with using 'script' is one more exit.