how to log all the commands executed by root

[me_spearhead]

Hi

I want to get a of log all the commands executed by the root user with the following details :

incoming ip
username (thru which su was executed)
time and date
all the commands executed as mentioned above.

Also if user has managed to login as root, he should not be able to disable / delete the above info. Can this info be collected at some other physical server ?

[GNU-Fan]

Are we talking about access only over SSH, or do you need to take access via keyboard into account, too?

[Segfault]

You should not give root rights to too many people. If they need to administer something create relevant groups.

[gazolinia]

Hi,

Give a try on selinux and grsecurity, probably they have the solution for it . Whenever I dont find a solution at worst case I will write a LKM(Linux kernel Module) but thats not a good idea...

Thanks,
Jai

[me_spearhead]

Hi

We are talking about access over ssh.

[unspawn]

Hi

I want to get a of log all the commands executed by the root user with the following details :

incoming ip
username (thru which su was executed)
time and date
all the commands executed as mentioned above.

Also if user has managed to login as root, he should not be able to disable / delete the above info. Can this info be collected at some other physical server ?

Linux doesn't come with extensive auditing enabled out-of-the-box. Sure you could have Netfilter log it but by default the remote IP address AFAIK is only listed in 'last' and /var/log/secure (SSH > PAM > syslog) as would be the username. Time and date are catered for by syslog. Wrt "all the commands executed", 0) psacct logs commands only and no details, 1) shell history is "weak evidence", 2) Rootsh logs timestamp, commands as well as output and can log to syslog, 3) Auditd logs detailed (see the se.* reporting tools) or else maybe 4) FUSE LoggedFS as it logs detailed as well (see auditd missing syscalls? for an example). And that's what I meant (elsewhere) wrt necessity of log correlation. Unless you run a SELinux "true" MLS policy or other DAC prevention root can modify everything so while you can still use remote syslog, with root being omnipotent, the question becomes "will the logs actually arrive there, how do I notice and how do I respond if they don't?"...