HPE Community
Operating System - HP-UX
1833240 Members
3179 Online
110051 Solutions
New Discussion

Re: SOX and Shell History

 
SOLVED
Go to solution
Eric Buckner
Regular Advisor

‎10-14-2004 07:48 AM

‎10-14-2004 07:48 AM

SOX and Shell History

Hi all!

Our Security team is wanting us to track our shell history files daily for Sarbanes-Oxley compliance.

We long ago separated our root history files utilizing 'logname' and building HISTFILE based on that. So we know who is doing what since you can't get to root except by sudo or the console.

Our problem is that we can't figure out a good way to just pull out today's commands from the history file. Well the easy way is to start a new one each day.... But then we don't have access to our history from the previous day.

So I thought I would just write an entry to the history file that would actually be a NO-OP command that would signify login in and logout.

Well I am getting it into the file easy enough using tee. But I am missing something in the format of the file that is really horking up the first command after relogin.

Any ideas? Any better ways of doing this?

Thanks!
Eric
Time is not a test of the truth.
0 Kudos
Reply
12 REPLIES 12
Geoff Wild
Honored Contributor

‎10-14-2004 07:54 AM

‎10-14-2004 07:54 AM

Re: SOX and Shell History

Can you post your .profile?

I tried print -s - but it somehow wiped out entries:

# Set up logging
HISTFILE=${HOME}/.sh_history_`who am i|awk '{ print $1}'`
export HISTFILE
# print -s makes a mess
#print -s $(date) >>$HISTFILE
date >>$HISTFILE
HISTSIZE=500
export HISTSIZE

The only way I see you doing this is to make a copy dailey, then parse out the info you need in a separate file...


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Eric Buckner
Regular Advisor

‎10-14-2004 08:04 AM

‎10-14-2004 08:04 AM

Re: SOX and Shell History

Actually this pretty straight forward. I am not attempting to log the logins, just the logouts.

This is the section that does our history file stuff:

###
###
export WHOROOT=`/usr/bin/logname`
if [ -z "$WHOROOT" ]; then
WHOROOT=`echo $(who -Rm) | awk '{print $1}'`
fi
if [ "$WHOROOT" = "root" -a "`tty`" != "/dev/console" ]; then
echo "\n\nYOU ARE LOGGED IN AS ROOT!!!"
echo "PLEASE LOG IN AS YOURSELF AND "
echo "ISSUE THE SUROOT COMMAND!!!\n\n"
ISROOT=1
else
ISROOT=0
fi

export PS1="
`echo "["'$PWD'"]"`
$LOGNAME on `uname -n` -# "

typeset -l ANSWER=""
while [ -z "$ANSWER" ]; do

if [ "$WHOROOT" != "root" ]; then
ANSWER=$WHOROOT
else
echo "Who are you? \c"
read ANSWER
fi
case $ANSWER in
eric|ebuckner)
export HISTFILE=~/.sh_history.eric
continue;;
phil|pgifford)
export HISTFILE=~/.sh_history.phil
continue;;
*)
export HISTFILE=~/.sh_history.$ANSWER
continue;;
esac
done

trap $HOME/.logout 0

###
###


The reason for multiple answers in the case, is so we can identify ourselves when logging in as root on the console so we have access to our own histories.


Now I know the history file has nulls in it but can determine what else it has in it that is being used as line control so I am experimenting w/ this format.

This is the .logout script:
echo "\0000logout at `date`\n\0000" | tee -a $HISTFILE

We have a script called logout that does absolutely nothing.

Time is not a test of the truth.
0 Kudos
Reply
Eric Buckner
Regular Advisor

‎10-14-2004 08:10 AM

‎10-14-2004 08:10 AM

Re: SOX and Shell History

Geoff,
Hey man you actually have it. You just don't want to redirect print -s .

I just changed my .logout to:

print -s "logout at `date`"

and it is doing exactly what I want.

Repost so I can give you some more points.

Time is not a test of the truth.
0 Kudos
Reply
Sanjay_6
Honored Contributor

‎10-14-2004 08:13 AM

‎10-14-2004 08:13 AM

Re: SOX and Shell History

Hi Eric,

run a cron job to append in the .sh_history file.

01 00 * * * echo `date` >>/.sh_history

Hope this helps.

Regds
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎10-14-2004 08:30 AM

‎10-14-2004 08:30 AM

Solution

Re: SOX and Shell History

Make sure you test the print -s

I found I lost a bunch of my history....

But you are not redirecting - how are you doing it?

This is waht I determined:

date >>$HISTFILE

Which causes the first command to be appeneded to the date in the .sh_history file

I figured out a way to get the date on it's own line:

print -s $(date) >>$HISTFILE

The -s option causes the arguments to be written onto the history file instead of standard output.


Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Reply
Eric Buckner
Regular Advisor

‎10-14-2004 08:42 AM

‎10-14-2004 08:42 AM

Re: SOX and Shell History

Geoff,
You don't need to redirect. As you said the print -s handles putting it in the log file nicely.

I am doing this is my .profile:
print -s "LOGIN - `date '+%E%m%d'`"

and my .logout
print -s "LOGOUT - `date '+%E%m%d'`"

I then created 2 scripts called LOGIN and LOGOUT that only have an exit in them to protect me from accidently attempting to execute them.


Sanjay,
While the redirection of date isn't a good idea, I can see using the cron entry to mark the beginning and end of day using a print -s rather than having multiple entries everytime someone logs in.
Time is not a test of the truth.
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎10-18-2004 03:00 AM

‎10-18-2004 03:00 AM

Re: SOX and Shell History

Eric,

Nice work...

Now, I'm trying to run this from root's cron at midnight:

#!/bin/sh
#
# script to add a date stamp to the /.sh_history_$USER
# for those su'ed to root
# Only run from cron once a day
# gwild 2004-10-15
# set -x


# find parent process of all users signed in as root
for i in `ps -ef |grep "\-sh"|awk '{print $3}'`
do
# just grab the user name
USER=`ps -ef |grep $i |grep -v root|awk '{print $1}'`
# point to their .sh_history file
typeset -x HISTFILE=${HOME}/.sh_history_$USER
# time stamp it
print -s "`/usr/bin/date` $USER still logged in as root..."
unset HISTFILE
done


Unfortunatley, the print -s outputs to the first user in the list only - for all users...


tail /.sh_history_gwild

Mon Oct 18 08:55:00 MDT 2004 gwild still logged in as root...
Mon Oct 18 08:55:00 MDT 2004 user2 still logged in as root...
Mon Oct 18 08:55:01 MDT 2004 user3 still logged in as root...
ls -altr
tail .sh_history_gwild

Output with set -x:

+ ps -ef
+ grep \-sh
+ awk {print $3}
+ + ps -ef
+ grep 8983
+ grep -v root
+ awk {print $1}
USER=gwild
+ typeset -x HISTFILE=//.sh_history_gwild
+ /usr/bin/date
+ print -s Mon Oct 18 08:53:16 MDT 2004 gwild still logged in as root...
+ unset HISTFILE
+ + ps -ef
+ grep 737
+ grep -v root
+ awk {print $1}
USER=user2
+ typeset -x HISTFILE=//.sh_history_user2
+ /usr/bin/date
+ print -s Mon Oct 18 08:53:16 MDT 2004 user2 still logged in as root...
+ unset HISTFILE
+ + ps -ef
+ grep 12746
+ grep -v root
+ awk {print $1}
USER=user3
+ typeset -x HISTFILE=//.sh_history_user3
+ /usr/bin/date
+ print -s Mon Oct 18 08:53:16 MDT 2004 user3 still logged in as root...
+ unset HISTFILE


Any ideas?

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Eric Buckner
Regular Advisor

‎10-19-2004 05:12 AM

‎10-19-2004 05:12 AM

Re: SOX and Shell History

Geoff,
Yeah I had the same problem. I gave up on it and put in an AT job for what I needed. I figured I will come back to it later.

It seems like it is binding the HISTFILE the first time around and even though you unset it, it still has a lock on the inode and doesn't release it.

One option would be to put the part that sets the HISTFILE and does the print -s in a subshell. That would possibly allow it to release the inode.
Time is not a test of the truth.
0 Kudos
Reply
Eric Buckner
Regular Advisor

‎10-19-2004 05:27 AM

‎10-19-2004 05:27 AM

Re: SOX and Shell History

Geoff,
I got this working. Unfortunately I can't think of a cleaner way to do it than 2 separate scripts so here they are:

script1.sh:
#!/usr/bin/sh

ADMINS="you me"


for NAME in $ADMINS; do

HIST=/root/.sh_history.$NAME
script2.sh $HIST

done
### End of script1.sh




script2.sh:
#!/usr/bin/sh

export HISTFILE=$1

print -s "### Test"

exit
### End of script2.sh


You can add what ya need in there for checking who is logged in and what not.
Time is not a test of the truth.
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎10-19-2004 05:43 AM

‎10-19-2004 05:43 AM

Re: SOX and Shell History

Eric, check out the solution in my thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=722093

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Eric Buckner
Regular Advisor

‎10-19-2004 06:18 AM

‎10-19-2004 06:18 AM

Re: SOX and Shell History

Geoff,
GREAT! I was getting there, and love the subshell thing in the function.

One thing I would suggest because it bit me a few minutes ago while testing this. Make sure you put some #'s at the beginning of your print -s. ie print -s "### `date`". That way if you do try to execute it, it is a comment and won't work.

Time is not a test of the truth.
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎10-19-2004 06:52 AM

‎10-19-2004 06:52 AM

Re: SOX and Shell History

Eric - good idea on the ###'s

I modified my script and also added to root's .profile:

# Set up logging
HISTFILE=${HOME}/.sh_history_`who am i|awk '{ print $1}'`
export HISTFILE
print -s "### login at `/usr/bin/date` ###"
#date >>$HISTFILE
HISTSIZE=500
export HISTSIZE

Rgds...Geoff


Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.