Re: How one will come to know what commands he/she executed on the system after switching to root. (288 Views)
Reply
Regular Advisor
Narendra Uttekar
Posts: 230
Registered: ‎12-30-2007
Message 1 of 3 (347 Views)
Accepted Solution

How one will come to know what commands he/she executed on the system after switching to root.

Hi,

The history option is enabled in the user profile but when we switch the user as root (su – root) how one will come to know what commands he/she executed on the system? Please see as below history of commands for e.g. user – nuttekar, But as you can see once (su – root) is executed no further commands are recorded in history for that user.

 

ll -lrt

date

exit

cat .sh_history

su - root

testdr1:/home/nuttekar#

 

Let me explain our requirement came from Auditors…We are total 5 system administrator managing all the HP-UX servers. Direct root login is disabled on the server. We login with our individual Unix ID and then use (su – root) for root access. We are capturing SU logs for individual users who logged in as (su – root) as below,

 

***** list of switch user (su) on testdr1 ***** Date :  2013/03/24

 

SU 03/24 11:09 + 2 nuttekar-root

SU 03/24 11:41 + 3 nuttekar-root

 

But Auditors are asking is it possible to know once individual user logged in as (su – root) to know what commands he/she executed on the system?

 

Or is there any other solution from where we can come to know the commands executed by that particular individual user once switching as (su - root) on the system.

 

Thanks,

Narendra

Please use plain text.
Honored Contributor
Patrick Wallek
Posts: 13,750
Registered: ‎06-21-2000
Message 2 of 3 (288 Views)

Re: How one will come to know what commands he/she executed on the system after switching to root.

Once a regular user uses 'su - root' to become root, all commands run then get recorded in the command history for the root user.  The user is no longer running anything under their own user ID, everything is now running as root.

 

You might be able to do something with a custom HISTFILE based on the original user name.  For example, adding the following to root's .profile:

 

export HISTFILE=$(who am i | awk '{print $1}')-history

 

may generate a history file with the original users name prepended.  I haven't tested this, so I'm not sure it will work.  The other thing is that there are NOT any time stamps in the command history.

 

You have to remember that the command history / command recall functions were designed as a convenience for the system administrator so that commands can be recalled easily.  These functions were NEVER designed to be function as any sort of auditing facility.

 

If you need full command history, with time stamps, you might consider a commercial production like Power Broker.

 

You could have some of the logging capabilities by using sudo, BUT all users MUST then use sudo exclusively for the commands to get logged.  If you do something like 'sudo su - root' to become root, then you run into the same thing where commands run as root are NOT logged.

 

Please use plain text.
Regular Advisor
coollllllllllll
Posts: 140
Registered: ‎12-28-2012
Message 3 of 3 (273 Views)

Re: How one will come to know what commands he/she executed on the system after switching to root.

Hi ,

 

We use the following in /etc/profile

 

 

 

export LOGINNAME=`who am i | awk '{print $1}'`
export HISTFILE="/var/tmp/hist_`date +%y%m%d.%H%M%S`.${LOGINNAME}.$LOGNAME.$$"

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation