THIS IS NOT INTENDED TO BE USED AS A SECURITY SOLUTION.
If you're like me and work for a company who has many linux admins all logging into servers and then su'ing to root, you may find this tip beneficial. It is simply 3 lines that you add to root's .bash_profile which will keep separate history files for each admin that su's to root and the commands they ran. It will allow you to go back and see what the user did as root. Granted the user could delete the history file, but we are only interested in keeping separate history files and going back to review if necessary. You may need to implement a policy or have an agreement with the admins which states no one will delete the history files.
So if you're ready to try this out, fire up vi and add the below lines to root's .bash_profile
export HISTSIZE=3000
export HISTFILESIZE=5000
export HISTFILE=/root/.bash_hist-$(who am i | awk '{print $1}';exit)
Save the file and you're good to go. Now when an admin logs in, su's to root and logs out; a hidden file will be created in the root directory called .bash_hist-userid
Here's an example:
If user jsmith logged in and then su'd to root, you would see a file called .bash_hist-jsmith in the root home directory after the user logs out. Hope this helps :)
This tip is courtesy of my senior admin Steve V.
Have fun!
18 comments:
The syntax up there looks incorrect, e.g. there is at least one typo between the "who am i" and the "awk" command; also: shouldn't there be a pipe "|" between them?
You are correct! Guess my cut and paste went awry. Thanks for letting me know, it has been corrected.
I think this method is useless:
1) what if people use "su -" to obtain root shell? Then "whoami" will report as root instead of the userid that people was using before su.
2) sudo is far better than su and especially in this case (i.e., several admins for the same machine). You can disable su by putting an invalid root password, but still grant sudo accesses to those admins.
Actually, it will create a history file of the userid who su'd to root. That it the purpose of this shell code. Read it again, or for that matter just try it. It works exactly as I have stated.
As for sudo, this script does not pertain to that command. This code simply creates a separate history file for the user who su'd to root with their user id. No more, no less.
In regards to the anonymous post above claiming uselessness, re-read the post. It uses the "who" command, not "whoami"
I would maybe re-write the script to read "who -m" rather than "who am i" to just make sure people don't mixed up.
This is very useful "tuning/tweak".
thank you... :)
But I think you can have problems if you have several users working at the same time, because awk is showing you the first column, so if you have, robert, jose, and philip, the standard out of awk '{print $1}' is robert\njose\nphilip.
Perhaps I'm not right, but I think it...
Nice... this is going in my root's .bashrc - thanks.
BTW, you could drop the redundant "exit" - or am I missing something?
What a great way to use "who am i". One question - why is the "exit" necessary? I understand that it's causing the subshell to finish, but won't it anyways?
Hi Jose,
To address your question, this will not happen. This script will pull the effective uid of the user from the tty they came in on.
Now if a user shared his id and password with someone else and they both logged in at the same time and su'd to root at the same time, then I think something would either blow up or get overwritten. In the big scheme of things this should not happen.
To Anonymous and Seth,
First, this code goes in the .bash_profile and NOT .bashrc
Second, the exit command is a hold over from the unix days where the script would sometimes hang. It is most likely not needed here, but I haven't tested without it as it works as required :)
Great for when multiple people are working as root; you don't have to look at someone else's commands when browsing through history. This tends to happen during critical events where you need to be able to concentrate on what you're doing. Anyway, this is also supposed to work for ksh (typically used on AIX an Solaris--though .profile is then the correct place for the settings). Great post, thanks.
Hi again moonpup,
I mentioned .bashrc instead of .bash_profile to avoid the default ~/.bash_history being selected as HISTFILE if the rootly user spawns another X terminal.
By choosing .bashrc it gives each user the same HISTFILE whether called at login (when .bash_profile & .bashrc both run) or each time they open a shell (when .bashrc runs, but .bash_profile does not).
One minor change I made is to aggreagte HISTFILEs in a separate directory, which keeps down clutter if there are many admins:-
export HISTFILE=/root/.bash_hist.d/.bash_hist-$(who -m | awk '{print $1}')
Just remember to also 'mkdir /root/.bash_hist.d' first.
PS - Sorry for the previous AC post, laziness isn't *always* a virtue :)
-Frank.
Hi Frankb,
Thanks for the tip, those are some nice tweaks. Hope I can post some more which you might find helpful.
nice post
Another way to create a unique histfile is to use the tty. You can then lookup that tty in utmp to see which admin used that file.
HISTFILE=~/.hist$(tty | tr '/' '_')
This could be useful on a machine I support where the primary user also has the root password. I would like to monitor what he does as root. The problem is, he uses csh, or tcsh. If he su's to root, and then switches to csh, would this work?
Thanks for very useful tips and instructions. I appreciate them.
History writing help
Post a Comment