How to track the command executed by any user(also as a sudo) on the linux server

As security concern you can track your user command that are been executed over the bash terminal.even you can  track the command which are executed as root/sudo.

STEPS:

For BASH shells, edit the system-wide BASH runtime config file:

sudo -e /etc/bash.bashrc

Append to the end of that file:

export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'

Set up logging for “local6” with a new file:

sudo -e /etc/rsyslog.d/bash.conf

And the contents.

local6.* /var/log/commands.log

Restart rsyslog:

sudo service rsyslog restart

 

If you need to have log rotation

sudo -e /etc/logrotate.d/rsyslog

So add the new bash-commands log file in that list:

/var/log/commands.log

There is a list of log files to rotate the same way…

/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log

Analysis of command in log file:-

tail /var/log/commands.log
Jan 5 18:04:06 localhost rupin: root [2409]: cat /var/log/commands.log [0]
Jan 5 18:04:31 localhost rupin: root [18329]: /bin/rbash [0]
Jan 5 18:05:25 localhost rupin: root [18329]: echo $0 [0]
Jan 5 18:05:31 localhost rupin: root [2724]: cat /var/log/commands.log [0]
Jan 5 18:05:38 localhost rupin: root [2724]: echo $0 [0]
Jan 5 18:05:42 localhost rupin: message repeated 2 times: [ root [2724]: echo $0 [0]]
Jan 5 18:05:53 localhost rupin: root [2724]: echo $SHELL [0]
Jan 5 18:06:06 localhost rupin: root [2724]: ps -p $$ [0]
Jan 5 18:06:22 localhost rupin: root [18329]: /bin/rbash [0]
Jan 5 18:06:30 localhost rupin: root [18329]: ps -p $$ [0]
Jan 5 18:07:01 localhost rupin: root [18329]: echo $0 [0]
Jan 5 18:07:06 localhost rupin: root [18329]: ps -p $$ [0]
Jan 5 18:07:13 localhost rupin: root [2860]: ps -p $$ [0]
Jan 5 18:07:18 localhost rupin: root [2860]: ps -p $$ [0]
Jan 5 18:07:34 localhost rupin: root [2860]: echo $$ [0]
Jan 5 18:07:41 localhost rupin: root [2860]: echo "$$" [0]
Jan 5 18:08:00 localhost rupin: root [2860]: echo "$$" > $a [1]
Jan 5 18:08:11 localhost rupin: root [2860]: echo "$$" > a [1]
Jan 5 18:08:18 localhost rupin: root [18329]: /bin/rbash [1]
Jan 5 18:09:40 localhost rupin: root [18329]: /bin/rbash [130]
Jan 5 18:09:41 localhost rupin: message repeated 4 times: [ root [18329]: /bin/rbash [130]]
Jan 5 18:14:36 localhost rupin: root [18329]: /bin/rbash [130]
Jan 5 18:15:12 localhost rupin: root [18329]: mkpasswd [0]
Jan 5 18:15:23 localhost rupin: message repeated 3 times: [ root [18329]: mkpasswd [0]]

Disadvantage:-

I believe this can be easily deactivated by the user by simply resetting or unsetting PROMPT_COMMAND or executing the command to a non-bash shell.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s