Can any one help me with a script, which runs in background and mails me all the commands entered by root on any terminal for every hour. We have multiple people having root access on the server and creating a mess,i just wanted to monitor all the activity of the root.
You won't be able to do it at the scripting level unfortunately unless you already have a mechanism in place to capture the commands and just want to automate the transfer of them.
In order to really get a handle on keeping watch over your admins with root access, you'll need to hook into something at a much lower level. Solaris has a set of tools called the BSM (Basic(?) Security Module I think) which will allow you to get right down to the individual system calls if you want. Other OS's will likely have similar options avialable to them too. Post your OS here and with a little luck someone will be able to identify what you'll need to look at to get this going.
Another option is to look at tools like tripwire and remote syslog servers - catch the end result of the commands rather than the commands themselves. Provided everything is logged realtime to a remote server that the users in question do not have access to, you can review what they've done. Just remember to have them sign something to promise they won't turn off the logging and immediatly terminate the employment of anyone that breaks this (you will see it disable even if you can't see what happens afterwards).
Yet another option (and my preference) is to cut back the access. Use sudo to grant specific sets of commands to specific groups of users. Use file permissions to grant read-only access to users that only need that. Use setuid menus to provide for the use of more complex programs while retaining logging of what is being done.
I am one of the two senior engineers responsible for over a hundred servers and I don't know the root password to any of my boxen. It's not actually that tough to set up a three-way model to keep your access control, audit, and admin work seperate. You can't prevent someone playing silly-buggers but you can certainly catch them 
The main problem is we have a application testing team and couple of guys have the root access and they think they are admins....unfortunately i am from the unix team who had to support the servers used by testing team. The funniest part is they don't want to use sudo, and i have to cleanup the mess created by them every time.
I thought it would be a great idea to capture the input from standard input,whenever anybody logs in as root.
Iam trying to convince them to loose direct root access and use sudo....but these buggers:D dont seem to agree with me.
You can set the default login shell as Bash.
This shell is having the tool known as History. 
Anyone logged with this shell if execute any command then that command will get stored and appended to /.bash_history file.
You can make a script which will mail you the contents of /.bash_history
at your will and you will have all commands executed by root with
you...... 
Hope this will help..... 
Ah, but what happens if you have two people logged in as root at the same time? It would be a bit tough to distinguish one session from another...
I suppose you could use 'script "/some/log/dir`who am i | awk '{ print $1 }'`-`date`"' ...
As for moving the users over to another access model, set up the 'new way' and show the users. You can reassure them that they will retain their su rights to root for now to give them a chance to evaluate the new method. Watch the sulog file and contact the person each time they use su to ask what they tried to do via sudo but couldn't. You can then fix whatever it was (or remind them that the access will be taken away and they should be finidng all the issues before it's too late).
Once you have all the problems cleared up, change the password to something only you know.
If you meet resistance, talk to your risk team and show them the very big risk involved in having more than one person able to do work as root without being able to trace who did what. Risk guys hate being unable to trace things back to a single person.
Hi.. Smiling Dragon You are right......
It would be a bit tough to distinguish one session from another when two people logged in as root at the same time....
So, for that I have a solution......
First make Sure that you have sufficient space in / then do following :
- Make a directory /record.
- Put following entries in /.bashrc file:
x=`tty | cut -c 6- |tr '[/]' '[.]'`
if [ ! -d /record ] ; then
mkdir -p /record
fi
if [ ! -f /record/$x ] ; then
touch /record/$x
fi
echo >> /record/$x
echo " *********************************** " >> /record/$x
echo >> /record/$x
script -a /record/$x
Now, when anyone will log in to the system each time you are going to get his commands recorded to /record/pts.# file along with time and date of login. Where "#" is the terminal number given by tty command.The commands will get appended to this file (not over written).
So, you will have to monitor these files in /record directory regularlly so as to limit their size and growth.
No doubt you will have to set default shell as Bash.
Hope this will help.....
Cheers.... ......
Hi Reboot,
for some reason when I use script (/usr/bin/script) in .bashrc, as soon as the user logs in the shell goes crazy (e.g. CPU 100%) and the output file - typescript in my case - becomes huge. Do you know why?
The command 'script' on a command line works just fine, it's the .bashrc that doesn't like it. I am using Debian Etch.
Could you show the entries (or commands) you are putting in /.bashrc file......
As an answer to the original problem try something like this in /etc/profile
RU=`who am i | cut -f 1 -d " "`
if [[ $RU = "root" ]]
then
HISTFILE=/someplace_safe/.ihist/.sh_hist_$RU_$$
HISTSIZE=1000
export HISTFILE HISTSIZE
else
HISTFILE=/$HOME/.sh_history
HISTSIZE=1000
export HISTFILE HISTSIZE
fi
This creates a history file for each root login, the mtime of the file gives you a clue as to which "root" login you are dealing with.
This is also a good Solution.........
Thanks jim mcnamara....
Hi, I am using the standard ~/.bashrc shipped with Debian, with some minor changes I made e.g. to umask, Mail, Histfilesize, Histsize and PS1 (which now shows the % of the battery):
The 'script' command I used was very simple, some kind of '/usr/bin/script -q ~/file.log'
^# ↩︎
Hi...
First see wether all perameters which you want to change through ~/.bashrc file, changes as per your requirement.In short wether all commands (Excluding '/usr/bin/script ) in ~/.bashrc file work fine......
If yes then just put the '/usr/bin/script -q ~/file.log' command at the very last line of your ~/.bashrc file and then see wether it works or not....
Do not put the '/usr/bin/script -q ~/file.log' command at begining or anywhere in between the ~/.bashrc file .
Hope it should work this time now.....
Cheers....
If you are on a Linux box, you could use Snoopy. Quoting from the Sourceforge webpage:
Same as before. I created a sample .bashrc containing the 'script -q ~/file.txt' line only.