[olug] Sharing root priv, tracking what other root does

Thomas D. Harrison id4spam at cox.net
Sun Dec 14 23:14:15 UTC 2003 

I've inserted the following into root's .profile on an HP-UX system. 
I'm not sure whether it'll work with linux.  I'm sure there are cleaner 
ways to imlement the CLIENT= statement, but hey, it works.

    CLIENT=`who -mR | tail -n1 | cut -f2 -d"(" | cut -f1 -d")" \
            | cut -f1 -d".xyz.com"
    STAMP=`date +%y%m%d.%I%M%S`
    export HISTFILE=/.root.hist/$STAMP.$CLIENT # enables command recall

You'll need to create a directory only accessible by root ( in this case
I have /.root.hist
The xyz.com is our domain name.  It has been changed to protect the 
innocent.

Basically it simply creates a history file in the .root.hist directory 
named after the client's hostname and the date/time stamp.  It then 
defines this file as the history file.

ls /.root.hist yields:

-rw-------   1 root  sys   54 Dec 10 15:08 031210.022726.thomh
-rw-------   1 root  sys   62 Dec 10 16:27 031210.095754.joep
-rw-------   1 root  sys  424 Dec 10 15:52 031210.124119.scottj
-rw-------   1 root  sys   72 Dec 12 10:04 031212.085923.thomh

thomh, joep, etc... are hostnames defined for key users in the hosts file.





Steve Busby wrote:
> On Wednesday 10 December 2003 09:07 pm, netsaint at cox.net wrote:
> 
>>I'm looking for a way to track what another root user does on a sensitive
>>Linux server that I have had exclusive control of.  Recently, I was
>>strong-armed into giving root access to another. Prior to sharing control I
>>made it very clear, "you break it and I kill you"!  When this new root user
>>breaks it, and he/she/it will, I should be able to recover nicely using
>>AMANDA. Perhaps my emphatic statement was enough, to date, he/she/it has
>>not attempted to login as root.  ;-) Any of you admins have experience in
>>anything?  If so, how did you remedy it?
>>
>>_______________________________________________
>>OLUG mailing list
>>OLUG at olug.org
>>http://lists.olug.org/mailman/listinfo/olug
> 
> 
> Simply have syslog log everything to another "syslog" server which you 
> control.
>

More information about the OLUG mailing list