HPE Community
Operating System - HP-UX
1824993 Members
2097 Online
109678 Solutions
New Discussion юеВ

How to trace script running bu root

 
SOLVED
Go to solution
Leo The Cat
Regular Advisor

тАО05-22-2008 05:02 AM

тАО05-22-2008 05:02 AM

How to trace script running bu root

Hi

I give sudo authorization for one script to some users. (This script is executed by sudo as root).

Example: sudo /su22/script/myscript.sh

For the moment users can modify this script and could introduce a forbiden command.
It's impossible for me to avoid this.

How to obtain a trace of all sub commands called inside this script.

Thanks for any propositions
Regards
Den
0 Kudos
Reply
10 REPLIES 10
Steven E. Protter
Exalted Contributor

тАО05-22-2008 05:07 AM

тАО05-22-2008 05:07 AM

Solution

Re: How to trace script running bu root

Shalom,

tusc can do it.

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/tusc-7.9/

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/trace-1.6/

The former is much more modern.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Leo The Cat
Regular Advisor

тАО05-22-2008 05:10 AM

тАО05-22-2008 05:10 AM

Re: How to trace script running bu root

Is there any tusc equivalent but for AIX ?

Regards Den
0 Kudos
Reply
Robert-Jan Goossens
Honored Contributor

тАО05-22-2008 05:13 AM

тАО05-22-2008 05:13 AM

Re: How to trace script running bu root

Hi Den,

Try truss on AIX.

Regards,
Robert-Jan
Reply
Torsten.
Acclaimed Contributor

тАО05-22-2008 05:23 AM

тАО05-22-2008 05:23 AM

Re: How to trace script running bu root

Maybe it is easier to watch the script instead of a trace of this script?

(I have something like "diff" in mind ...)

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
Leo The Cat
Regular Advisor

тАО05-22-2008 05:24 AM

тАО05-22-2008 05:24 AM

Re: How to trace script running bu root

Hi Torsten

read the script is not good the user can change it, run and roll back to the previsous version...

Regards
Den
0 Kudos
Reply
Torsten.
Acclaimed Contributor

тАО05-22-2008 05:31 AM

тАО05-22-2008 05:31 AM

Re: How to trace script running bu root

I guess it is hard to give somebody root access and then trying to dis-allow something ...

IMHO even if you log the actions to a file somewhere, if somebody really want to do anything, he can also delete these entries from the logs, because (via the script) he is still root ...


Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
Patrick Wallek
Honored Contributor

тАО05-22-2008 06:27 AM

тАО05-22-2008 06:27 AM

Re: How to trace script running bu root

>>For the moment users can modify this script >>and could introduce a forbiden command.
>>It's impossible for me to avoid this.

Why is that? If you have given access via sudo, then permissions for the script should be set to -r-x------ (500) with root as the owner I see no reason that users should be able to modify this script, unless there is something you're not telling us.

Anything you do in this script could potentially be changed by users, so the point is really moot.
0 Kudos
Reply
Leo The Cat
Regular Advisor

тАО05-22-2008 08:16 AM

тАО05-22-2008 08:16 AM

Re: How to trace script running bu root

Hi Patrick

;-) Of course it's possible to do this but i can't because this script is altered by Oracle fix pack installation. My Problem is that i can accept Oracle modification but i need to avoid all personal root commands hidden in the myscript.sh !

Regards
Den
0 Kudos
Reply
Torsten.
Acclaimed Contributor

тАО05-22-2008 11:46 AM

тАО05-22-2008 11:46 AM

Re: How to trace script running bu root

Is it really necessary to be root in order to modify / run the script?

If it is, you are lost.
The user can easily prepare a modified shell, add another root user ... everything, because he is root. If you have no idea, you can't know what to looking for.

Trust your users - that's it.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
Eduard Constantinescu
Frequent Advisor

тАО07-07-2008 05:06 AM

тАО07-07-2008 05:06 AM

Re: How to trace script running bu root

Hi,
just one sugestion:
- U can make a small script, that check the if the script was modif. in the last zxz minutes, and if yes then copy (I mean replace) the modif. one with your original one - and of course, create yourself a log, to check it when U have time;
- create your own policy to use this script, and the rest is history, I think...

eddy
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.