Tuesday, November 13, 2007

Keeping separate history files for users who su to root

THIS IS NOT INTENDED TO BE USED AS A SECURITY SOLUTION.
If you're like me and work for a company who has many linux admins all logging into servers and then su'ing to root, you may find this tip beneficial. It is simply 3 lines that you add to root's .bash_profile which will keep separate history files for each admin that su's to root and the commands they ran. It will allow you to go back and see what the user did as root. Granted the user could delete the history file, but we are only interested in keeping separate history files and going back to review if necessary. You may need to implement a policy or have an agreement with the admins which states no one will delete the history files.

So if you're ready to try this out, fire up vi and add the below lines to root's .bash_profile

export HISTSIZE=3000
export HISTFILESIZE=5000
export HISTFILE=/root/.bash_hist-$(who am i | awk '{print $1}';exit)

Save the file and you're good to go. Now when an admin logs in, su's to root and logs out; a hidden file will be created in the root directory called .bash_hist-userid

Here's an example:

If user jsmith logged in and then su'd to root, you would see a file called .bash_hist-jsmith in the root home directory after the user logs out. Hope this helps :)

This tip is courtesy of my senior admin Steve V.

Have fun!

44 comments:

Anonymous said...

The syntax up there looks incorrect, e.g. there is at least one typo between the "who am i" and the "awk" command; also: shouldn't there be a pipe "|" between them?

moonpup said...

You are correct! Guess my cut and paste went awry. Thanks for letting me know, it has been corrected.

Anonymous said...

I think this method is useless:

1) what if people use "su -" to obtain root shell? Then "whoami" will report as root instead of the userid that people was using before su.

2) sudo is far better than su and especially in this case (i.e., several admins for the same machine). You can disable su by putting an invalid root password, but still grant sudo accesses to those admins.

moonpup said...

Actually, it will create a history file of the userid who su'd to root. That it the purpose of this shell code. Read it again, or for that matter just try it. It works exactly as I have stated.

As for sudo, this script does not pertain to that command. This code simply creates a separate history file for the user who su'd to root with their user id. No more, no less.

Mike said...

In regards to the anonymous post above claiming uselessness, re-read the post. It uses the "who" command, not "whoami"

I would maybe re-write the script to read "who -m" rather than "who am i" to just make sure people don't mixed up.

dhani said...

This is very useful "tuning/tweak".

thank you... :)

jose said...

But I think you can have problems if you have several users working at the same time, because awk is showing you the first column, so if you have, robert, jose, and philip, the standard out of awk '{print $1}' is robert\njose\nphilip.

Perhaps I'm not right, but I think it...

Anonymous said...

Nice... this is going in my root's .bashrc - thanks.

BTW, you could drop the redundant "exit" - or am I missing something?

Seth said...

What a great way to use "who am i". One question - why is the "exit" necessary? I understand that it's causing the subshell to finish, but won't it anyways?

moonpup said...

Hi Jose,

To address your question, this will not happen. This script will pull the effective uid of the user from the tty they came in on.

Now if a user shared his id and password with someone else and they both logged in at the same time and su'd to root at the same time, then I think something would either blow up or get overwritten. In the big scheme of things this should not happen.

moonpup said...

To Anonymous and Seth,

First, this code goes in the .bash_profile and NOT .bashrc

Second, the exit command is a hold over from the unix days where the script would sometimes hang. It is most likely not needed here, but I haven't tested without it as it works as required :)

GnuTzu said...

Great for when multiple people are working as root; you don't have to look at someone else's commands when browsing through history. This tends to happen during critical events where you need to be able to concentrate on what you're doing. Anyway, this is also supposed to work for ksh (typically used on AIX an Solaris--though .profile is then the correct place for the settings). Great post, thanks.

frankb said...

Hi again moonpup,

I mentioned .bashrc instead of .bash_profile to avoid the default ~/.bash_history being selected as HISTFILE if the rootly user spawns another X terminal.

By choosing .bashrc it gives each user the same HISTFILE whether called at login (when .bash_profile & .bashrc both run) or each time they open a shell (when .bashrc runs, but .bash_profile does not).

One minor change I made is to aggreagte HISTFILEs in a separate directory, which keeps down clutter if there are many admins:-

export HISTFILE=/root/.bash_hist.d/.bash_hist-$(who -m | awk '{print $1}')

Just remember to also 'mkdir /root/.bash_hist.d' first.

PS - Sorry for the previous AC post, laziness isn't *always* a virtue :)

-Frank.

moonpup said...

Hi Frankb,

Thanks for the tip, those are some nice tweaks. Hope I can post some more which you might find helpful.

sysadmn said...

Another way to create a unique histfile is to use the tty. You can then lookup that tty in utmp to see which admin used that file.

HISTFILE=~/.hist$(tty | tr '/' '_')

Anonymous said...

This could be useful on a machine I support where the primary user also has the root password. I would like to monitor what he does as root. The problem is, he uses csh, or tcsh. If he su's to root, and then switches to csh, would this work?

Büyü said...

The syntax up there looks incorrect, e.g. there is at least one typo between the "who am i" and the "awk" command; also: shouldn't there be a pipe "|" between them?

logo design - logoinn said...

The syntax logo designs up there looks incorrect, e.g. there is at least one typo between the "who am i" and the "awk" command; also: shouldn't there be a pipe "|" between them?

Serambi said...

very useful "tuning/tweak". thanks

Iliecu bani online fara investitie said...

Hehey hey!That's very good and even smart ;) It didn't cross my mind to keep separate history files for users until now.

brandon dosuza said...


Frozen Paratha Exporters From Pakistan


nice work.......kepp it up...:)

Ovais -raza said...

flat roof

Ovais -raza said...

commercial roofing

brandon dosuza said...
This comment has been removed by the author.
brandon dosuza said...

birthday party for kids


good i liked your comment

brandon dosuza said...

guesthouse in karachi

good job

brandon dosuza said...

Frozen Paratha Exporters From Pakistan

good

brandon dosuza said...

website development in houston

nice post

brandon dosuza said...

birthday party for girls

keep it up

brandon dosuza said...
This comment has been removed by the author.
brandon dosuza said...

website development services in houston

nice work

brandon dosuza said...

social media marketing services in houston

nice

brandon dosuza said...

birthday party for kids

impressive

brandon dosuza said...

design t-shirts

good work great....

brandon dosuza said...

Rusk from Pakistan

good

brandon dosuza said...

Frozen Paratha Exporters From Pakistan

nice

brandon dosuza said...

guesthouse in pakistan

good

brandon dosuza said...

guest house in pakistan

i m appriciate

saranya zinavo said...

Good article is worth learning! We always take out to see.leave deep impression to the person. I can have it, really great, thank you!
website designing company

Ovais -raza said...

Rusk Exporters From Pakistan

Manohar singh said...

I just got registered on this rich website. can a researcher from a third world country ( one without remote sensing facilities for research purposes) carry out remote sensing/ field using your website?
Designer lehenga

mahasiswa teladan said...

hi..Im college student, thanks for sharing :)

Evince said...

This is Really Informative post you are Sharing thanks:)



Web Development Company

binturlu said...

Buhara Gümüş , gümüş ürünler kategorisinde gümüş yüzükler , kolyeler , bileklikler , isimli takılar , gümüş saatler , hediyelik ürünler ve kişiye özel gümüş ürünler satışı yapan

( www.buharasilver.com ) un kurumsal web sayfasıdır. Sitemize gümüş ürünlerimizin sadece tanıtımı ve bilgilendirilmesi yapılmaktadır. Sipariş vermek ve

online satın almak için Buhara Silver ( www.buharasilver.com ) adresini ziyaret ediniz..