Tracking Root commands

pashan · November 23, 2010, 2:57am

Hi All

How can track what commands are entered by the Root user. Is there a log besides using the history command that lists all commands entered for a period of time.

thanks:o

zaxxon · November 23, 2010, 3:17am

Not in a secure way by default. You might want to check out auditing. There is a Redbook about it. On the other hand, root can usually always manually manipulate anything. Though with AIX 6 you got RBAC where this could be limited maybe (I don't have it at hand).

rbatte1 · November 26, 2010, 11:08am

Because root is unrestricted, it can be very dangerous if you enter a command on the wrong session. We have a number of us here with full system management role which would normally be assigned to the root user, but we have a tool called sudo installed. This allows you to create a file of permitted commands for non-root users and there are other tools in the suite that allows you to start a shell if you absolutely have to but then monitors what you do.

Of course it is not foolproof, but someone would have to go out of their way to be malicious in the first place.

It under here Sudo Main Page

I would suggest a donation because it is free, but very good stuff. I am only a user and not connected to the group who write this. There is also a forum that I am subscribed to for help/support and suggestions.

I hope that this helps

Robin
Liverpool/Blackburn
UK

Praveen_218 · November 26, 2010, 11:21am

Redirect the history to a log file as below:

# history > command.log

frank_rizzo · November 27, 2010, 8:31pm

check out AIX auditing.

kmvinay · November 28, 2010, 12:39am

Check out this link for enable auditing. You can track all the details by specifying in audit conf file.
pSeries and AIX Information Center

Hope this help you...

---------- Post updated at 11:09 AM ---------- Previous update was at 11:07 AM ----------

sorry, pls find the exact link
Auditing overview

bakunin · November 29, 2010, 2:02am

Here is a "poor mans solution" you might get going - i once tried it in a project but didn't succeed, maybe my own fault:

1) To log securely (that is: the systems administrator should have no possibility of altering the logs) you need a remote server, which the admin has no control over. You could write the logs there.

One of the drawbacks of the normal syslog is that either the output is files (locally) or network, but not both. You want the syslog-written logs to be accessible by the admins, just some should be non-alterable by them. This can be done by replacing syslog with "Syslog-NG", a freely available syslog-replacement.

2) There is a freeware tool "Snoopy logger", which intercepts (via a PRELOAD-library) the system calls exec() and execve() and documents them via a syslog-facility.

This is where i failed: i tried Snoopy 1.3.x, but while it was (with some small hack) working perfectly on Linux systems i didn't get it to work on AIX systems although i did get a clean compile. Since then Snoopy is out in a new version (1.6.x) and maybe does work on AIX systems too - i haven't checked since then.

Maybe someone with more programming experience on AIX then me is able to find out why it didn't work on AIX systems either. The source is very small (1-2 screens full) so it should take only minutes to analyze it.

I hope this helps.

bakunin