Question:
I am managing a team of Linux System Administrators, which manages a large number of servers remotely. This admins require root level privileges on servers. Now how can I keep track of each user activity for audit purpose and to keep record of each command is executed on server. Recommend open source application on Linux.
There are couple of available tools/scripts on Linux to achieve this goal. But we have found Rootsh a simple solution to this hitch.
What is rootsh?
rootsh is a shell wrapper that logs all keystrokes of a terminal with output and save it into a file whcih is randmoly generated for each user. rootsh also supports logging into syslog but it is bad idea because syslog file can easily be removed by a root user.
We will create a separate folder for logs where we will apply group level privileges & apply append attribute to restrict the group members to write/read only to this folder so our files would be secured.
How to install rootsh?
cd /tmp/
wget http://sourceforge.net/projects/rootsh/files/rootsh/1.5.3/rootsh-1.5.3.tar.gz/download
tar -zxvf rootsh-1.5.3.tar.gz
Create logs directory :
mkdir -vp /secure/admins-logs
./configure --disable-syslog --disable-linenumbering --with-logdir=/secure/admins-
make && make install
Create a group for your admins so limited users can write to this folder.
groupadd admins
Creating a testadmin user and adding it to the group.
useradd testadmin
usermod -G testadmin admins
Applying appropriate permissions to logs folder & apply attributes.
chmod 770 /secure/admins-logs
chgrp admins /secure/admins-logs
chattr +a /secure/admins-logs
Edit /etc/shells – to allow our new loggable shell.
echo "/usr/local/bin/rootsh" >> /etc/shells
Enable logging for our user “testadmin”
vim /etc/passwd
search for a user testadmin and replace /bin/bash with /usr/local/bin/rootsh
Thats it! Now, try to login in with testadmin and you should see a log file created with username+timestamp e.g /secure/admins-logs/testadmin.3243423432.log
If you have any question, feel free to ask in comments.
3 replies on “How to track Linux Shell Users activity?”
I have follow the your article and I have face the following problem. Please guide me where are you mistake. Thanks in Advance
inlined from âbeginloggingâ at rootsh.c:682:
/usr/include/bits/fcntl2.h:51: error: call to â__open_missing_modeâ declared with attribute error: open with O_CREAT in second argument needs 3 arguments
rootsh.c: In function âmainâ:
rootsh.c:245: warning: âdashShellâ may be used uninitialized in this function
make[2]: *** [rootsh.o] Error 1
make[2]: Leaving directory `/tmp/rootsh-1.5.3/src’
make[1]: *** [all] Error 2
make[1]: Leaving directory `/tmp/rootsh-1.5.3/src’
make: *** [all-recursive] Error 1
Hello Ali
Can you provide me a whole output of this process at syed.alam [] hackersgarage.com
Hi Syed,
While installing the rootsh, i’m getting the following error.
After executing make, it is giving the following error.
Making all in src
make[1]: Entering directory `/home/user/rootsh-1.5.3/src’
make all-am
make[2]: Entering directory `/home/user/rootsh-1.5.3/src’
if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -Wall -Wstrict-prototypes -Wmissing-declarations -Wnested-externs -Wpointer-arith -pedantic -pedantic -Wstrict-prototypes -MT rootsh.o -MD -MP -MF “.deps/rootsh.Tpo” -c -o rootsh.o rootsh.c; \
then mv -f “.deps/rootsh.Tpo” “.deps/rootsh.Po”; else rm -f “.deps/rootsh.Tpo”; exit 1; fi
rootsh.c:183: warning: function declaration isn’t a prototype
rootsh.c:299:2: warning: C++ style comments are not allowed in ISO C90
rootsh.c:299:2: warning: (this will be reported only once per input file)
rootsh.c: In function ‘main’:
rootsh.c:345: warning: ISO C90 forbids mixed declarations and code
rootsh.c:542: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result
rootsh.c: In function ‘beginlogging’:
rootsh.c:705: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result
rootsh.c: In function ‘dologging’:
rootsh.c:748: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result
rootsh.c: In function ‘endlogging’:
rootsh.c:837: warning: value computed is not used
rootsh.c:803: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result
In file included from /usr/include/fcntl.h:205,
from rootsh.c:60:
In function ‘open’,
inlined from ‘beginlogging’ at rootsh.c:682:
/usr/include/bits/fcntl2.h:51: error: call to ‘__open_missing_mode’ declared with attribute error: open with O_CREAT in second argument needs 3 arguments
rootsh.c: In function ‘main’:
rootsh.c:245: warning: ‘dashShell’ may be used uninitialized in this function
make[2]: *** [rootsh.o] Error 1
make[2]: Leaving directory `/home/user/rootsh-1.5.3/src’
make[1]: *** [all] Error 2
make[1]: Leaving directory `/home/user/rootsh-1.5.3/src’
make: *** [all-recursive] Error 1