HPE Community
Operating System - HP-UX
1847846 Members
2035 Online
104021 Solutions
New Discussion

process history

 
SOLVED
Go to solution
peterchu
Super Advisor

‎02-13-2005 08:33 PM

‎02-13-2005 08:33 PM

process history

We have some EDP members have the root password , , I found a command have run by root user , now I want to trace who ( or IP address ) have run this command , I use "history" and /.sh_history can found the command history but can't let me know who run it , could suggest how can I know who use the command previously ? thx.
0 Kudos
Reply
8 REPLIES 8
Robert-Jan Goossens
Honored Contributor

‎02-13-2005 08:38 PM

‎02-13-2005 08:38 PM

Solution

Re: process history

Hi,

If accounting is enabled you could use the lastcomm command.

Best regards,
Robert-Jan
Reply
Cem Tugrul
Esteemed Contributor

‎02-13-2005 08:55 PM

‎02-13-2005 08:55 PM

Re: process history

Hi,
As an addition for Paul's reply
you can put these lines in .profile of root;

HistUser=`who am i | awk '{print $1}'`
export HISTFILE=$HOME/.hist_${HistUser}

This creates a file in / like;

.hist_username
so you can easily monitor who su to root.

Good luck,
Our greatest duty in this life is to help others. And please, if you can't
Reply
Cem Tugrul
Esteemed Contributor

‎02-13-2005 08:58 PM

‎02-13-2005 08:58 PM

Re: process history

opss,

Robert's reply...
Our greatest duty in this life is to help others. And please, if you can't
Reply
peterchu
Super Advisor

‎02-14-2005 04:57 PM

‎02-14-2005 04:57 PM

Re: process history

thx replies , i will set it up as suggestions , but if I want to check the history that has already made ( eg. one week ago ) , is it possible ? thx
0 Kudos
Reply
Ravi_8
Honored Contributor

‎02-14-2005 05:01 PM

‎02-14-2005 05:01 PM

Re: process history

Hi

Unless the system is trusted you can't
never give up
0 Kudos
Reply
Rolf Modin
Advisor

‎02-14-2005 11:22 PM

‎02-14-2005 11:22 PM

Re: process history

Cem:s suggestion to modify the .profile for root was a very nice one. You get a separate history file for every one that log on as root, and in each the command history for that person!

But I suppose there is no way to protect the files so that the root-user who is ashamed of his doings can not hide what he has done?

Hm.. maybe logging the same information as in the .history_ files, to a remote log-server with logger commands?

Hm...?
Reply
Peter Godron
Honored Contributor

‎02-14-2005 11:31 PM

‎02-14-2005 11:31 PM

Re: process history

Hi,
if you have multiple users logging into the root account directly and you have not had the log split or command audit on, there is no way you can say who issued a command.

We always force users to log on with their own id and then su to root. Direct root access is disabled, bar from the console.
So we can trace who was logged on as root at any given time from the sulog.

Regards
Reply
Bill Hassell
Honored Contributor

‎02-14-2005 11:36 PM

‎02-14-2005 11:36 PM

Re: process history

Giving the root password to non-system administrators is a huge mistake. There is no log kept of commands by user's IP address. The only solution is to implement sudo and change the root password. Now, no one logs in as root and if the user has permission to run a particular command (part of the sudo config file), it will be logged by user, date/time and the actual command. Several sysadmins actually go so far as to eliminate root logins by automatically changing the root password to a random string every 5 minutes--no one knows the root password and now all system administration is via sudo--with complete traceability and instant control (such as removing a particular user's sudo privileges).


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.