Find the answer to your Linux question:
Results 1 to 6 of 6
Hi I want to get a of log all the commands executed by the root user with the following details : incoming ip username (thru which su was executed) time ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2007
    Posts
    23

    how to log all the commands executed by root


    Hi

    I want to get a of log all the commands executed by the root user with the following details :

    incoming ip
    username (thru which su was executed)
    time and date
    all the commands executed as mentioned above.

    Also if user has managed to login as root, he should not be able to disable / delete the above info. Can this info be collected at some other physical server ?

  2. #2
    Linux Engineer GNU-Fan's Avatar
    Join Date
    Mar 2008
    Posts
    935
    Are we talking about access only over SSH, or do you need to take access via keyboard into account, too?
    Debian GNU/Linux -- You know you want it.

  3. #3
    Linux Engineer Segfault's Avatar
    Join Date
    Jun 2008
    Location
    Acadiana
    Posts
    878
    You should not give root rights to too many people. If they need to administer something create relevant groups.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Feb 2010
    Posts
    8
    Hi,

    Give a try on selinux and grsecurity, probably they have the solution for it . Whenever I dont find a solution at worst case I will write a LKM(Linux kernel Module) but thats not a good idea...

    Thanks,
    Jai

  6. #5
    Just Joined!
    Join Date
    Apr 2007
    Posts
    23
    Hi

    We are talking about access over ssh.

  7. #6
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    Quote Originally Posted by me_spearhead View Post
    Hi

    I want to get a of log all the commands executed by the root user with the following details :

    incoming ip
    username (thru which su was executed)
    time and date
    all the commands executed as mentioned above.

    Also if user has managed to login as root, he should not be able to disable / delete the above info. Can this info be collected at some other physical server ?
    Linux doesn't come with extensive auditing enabled out-of-the-box. Sure you could have Netfilter log it but by default the remote IP address AFAIK is only listed in 'last' and /var/log/secure (SSH > PAM > syslog) as would be the username. Time and date are catered for by syslog. Wrt "all the commands executed", 0) psacct logs commands only and no details, 1) shell history is "weak evidence", 2) Rootsh logs timestamp, commands as well as output and can log to syslog, 3) Auditd logs detailed (see the se.* reporting tools) or else maybe 4) FUSE LoggedFS as it logs detailed as well (see auditd missing syscalls? for an example). And that's what I meant (elsewhere) wrt necessity of log correlation. Unless you run a SELinux "true" MLS policy or other DAC prevention root can modify everything so while you can still use remote syslog, with root being omnipotent, the question becomes "will the logs actually arrive there, how do I notice and how do I respond if they don't?"...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •