Categories
HowTos Linux

How to track Linux Shell Users activity?

Linux Shell users loggingQuestion:

I am managing a team of Linux System Administrators, which manages a large number of servers remotely. This admins require root level privileges on servers. Now how can I keep track of each user activity for audit purpose and to keep record of each command is executed on server. Recommend open source application on Linux.

There are couple of available tools/scripts on Linux to achieve this goal. But we have found Rootsh a simple solution to this hitch.

What is rootsh?

rootsh is a shell wrapper that logs all keystrokes of a terminal with output and save it into a file whcih is randmoly generated for each user. rootsh also supports logging into syslog but it is bad idea because syslog file can easily be removed by a root user.

We will create a separate folder for logs where we will apply group level privileges & apply append attribute to restrict the group members to write/read only to this folder so our files would be secured.

How to install rootsh?

cd /tmp/

wget http://sourceforge.net/projects/rootsh/files/rootsh/1.5.3/rootsh-1.5.3.tar.gz/download
tar -zxvf rootsh-1.5.3.tar.gz

Create logs directory :

mkdir -vp /secure/admins-logs
./configure --disable-syslog --disable-linenumbering --with-logdir=/secure/admins-logs/
make && make install

Create a group for your admins so limited users can write to this folder.

groupadd admins

Creating a testadmin user and adding it to the group.

useradd testadmin
usermod -G testadmin admins

Applying appropriate permissions to logs folder & apply attributes.

chmod 770 /secure/admins-logs
chgrp admins /secure/admins-logs
chattr +a /secure/admins-logs

Edit /etc/shells – to allow our new loggable shell.

echo "/usr/local/bin/rootsh" >> /etc/shells

Enable logging for our user “testadmin”

vim /etc/passwd

search for a user testadmin and replace /bin/bash with /usr/local/bin/rootsh

Thats it! Now, try to login in with testadmin and you should see a log file created with username+timestamp e.g /secure/admins-logs/testadmin.3243423432.log

If you have any question, feel free to ask in comments.