[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-390
Subject: Re: Logging of activities for userid in su mode to root ...?
From: Richard Troth <vmcowboy () gmail ! com>
Date: 2009-06-30 17:33:06
Message-ID: e0b4b5c90906301033r518a58cbm552265ed9e9d0c60 () mail ! gmail ! com
[Download RAW message or body]
In at least one shop where I have worked, we tracked keystrokes within
the 'su' subshell. There is painfully much traffic in that model.
More recently, in my current job, we take advantage of the shell
history, which you noted. What we do is set a different BASH history
file for each 'su' user. Say I am "rick" and I 'sudo su -' to get a
root shell. My commands are then logged in
/root/.histfiles/rick.history or some such. One can determine the
user behind the 'su' from a 'who am i' in the root shell. The pseudo
terminal is normally still owned by the original user. So we're
getting less detail than the byte-at-a-time thing, but it's a LOT
easier to implement and MUCH less expensive to run.
-- R; <><
On Tue, Jun 30, 2009 at 11:11, Marco Bosisio<marco_bosisio@it.ibm.com> wrote:
> Hello,
> we are serching how to logging into a system log the commands executed
> from an userid in " su - " mode to root.
>
> A good record log format is like that obtained using sudo (with log
> enabled) :
>
> Jun 30 14:22:16 : it32673 : TTY=pts/1 ; PWD=/home/it32673 ; USER=root ;
> COMMAND=/bin/df -h
>
> ...where "it32673" is the user that has launched the COMMAND=.
>
>
> Do you know if there is specific rules of PAM (etc/pam.d/su ?) to do it
> (i.e. adding specific call, increasing the debug..) or by setting
> system parameter ?
>
> The system already log in /root/.bash_history all the executed cmds
> (the same is done for each userid..) an we can set some variable of
> history function as for example to write timestamp. Perhaps it must be
> still developed, but do you think that it could be possible to rotate
> these informations to the "system log", at least for users with UID
> 0-99 also working in "su " mode ?
>
>
> os: Linux SLES9 - SLES10
>
> Cordiali saluti / Best regards
>
> Marco Bosisio
>
>
>
> IBM Italia S.p.A.
> Sede Legale: Circonvallazione Idroscalo - 20090 Segrate (MI)
> Cap. Soc. euro 400.001.359
> C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153
> Societą soggetta all?attivitą di direzione e coordinamento di
> International Business Machines Corporation
>
> (Salvo che sia diversamente indicato sopra / Unless stated otherwise
> above)
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to LISTSERV@VM.MARIST.EDU with the message: INFO LINUX-390 or visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390
>
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to LISTSERV@VM.MARIST.EDU with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic