I am managing a team of Linux System Administrators, which manages a large number of servers remotely. This admins require root level privileges on servers. Now how can I keep track of each user activity for audit purpose and to keep record of each command is executed on server. Recommend open source application on Linux.
There are couple of available tools/scripts on Linux to achieve this goal. But we have found Rootsh a simple solution to this hitch.
What is rootsh?
rootsh is a shell wrapper that logs all keystrokes of a terminal with output and save it into a file whcih is randmoly generated for each user. rootsh also supports logging into syslog but it is bad idea because syslog file can easily be removed by a root user.
We will create a separate folder for logs where we will apply group level privileges & apply append attribute to restrict the group members to write/read only to this folder so our files would be secured.
How to install rootsh?
tar -zxvf rootsh-1.5.3.tar.gz
Create logs directory :
mkdir -vp /secure/admins-logs
./configure --disable-syslog --disable-linenumbering --with-logdir=/secure/admins-logs/
make && make install
Create a group for your admins so limited users can write to this folder.
Creating a testadmin user and adding it to the group.
usermod -G testadmin admins
Applying appropriate permissions to logs folder & apply attributes.
chmod 770 /secure/admins-logs
chgrp admins /secure/admins-logs
chattr +a /secure/admins-logs
Edit /etc/shells – to allow our new loggable shell.
echo "/usr/local/bin/rootsh" >> /etc/shells
Enable logging for our user “testadmin”
search for a user testadmin and replace /bin/bash with /usr/local/bin/rootsh
Thats it! Now, try to login in with testadmin and you should see a log file created with username+timestamp e.g /secure/admins-logs/testadmin.3243423432.log
If you have any question, feel free to ask in comments.