3

I have Ubuntu server. On the server several users are allowed to operate. They use ssh.

I need to have command line history for all of them in one place showing the time, the user and the command. Also I like to prevent the users from editing the history file. Generally speaking I need to record what they do on the server and prevent them from modifying the records.

Is there any solution for this ?

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
darpet
  • 31
  • 2
  • This type of logging can be found in `/var/log/auth.log`, but it logs only the `sudo` commands. Do you need to log all commands? – Khaled Mar 16 '11 at 09:26
  • I need something like .bash_history but centralized for all users and I need to prevent the users from editing the file (because they can do something and clear the logs, so we will unable to see what is done) – darpet Mar 16 '11 at 09:31
  • See this previous question http://serverfault.com/questions/40011/how-can-i-log-users-bash-commands – sciurus Mar 16 '11 at 20:13

3 Answers3

4

I believe it should be possible. I'd start by creating one logfile per user (as I'm unsure of the side effects of sharing a pooled history file). So for the sake of example, I'm going to

mkdir /var/log/history
touch /var/log/history/soneil
chown root:soneil /var/log/history/soneil
chmod 660 /var/log/history/soneil

So I have a history file that's owned by root, but 'soneil' can write to.

Then, a little magic: chattr +a /var/log/history/soneil

Now 'soneil' can only append to history, it's otherwise immutable to all but root.

So I've got my log file prepped, I just need to use it.

in /etc/bashrc (on Ubuntu I notice this is /etc/bash.bashrc):

export HISTFILE=/var/log/history/$USER
readonly HISTSIZE
readonly HISTFILE
readonly HISTIGNORE
readonly HISTCONTROL

The readonly builtin is fairly self-explanatory, and I believe could be equally applicable to SvenW's function too.

Tested, this has the same problem as the normal history file; it's written at logout, and isn't timestamped. so ordering events would be messy. I think if I had to do this myself, I'd add

PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
readonly PROMPT_COMMAND

to force history to be flushed to disk each time a new prompt is drawn. There's also a HISTTIMEFORMAT envar which will add timestamps to the history file, but in a rather non-pretty format (setting the var to a prettier format only affects the output of 'history', not the contents of the file itself).

Shaun
  • 316
  • 1
  • 5
3

I think what you want to do is not really possible. Do you worry primarily about who changed a file or do you explicitly want so see they used pico to do so? If the former is the case, you could use a shared file system with logging capabilities (i.e. NFS, Samba) and mount the users directories this way. Depending on the configuration, this will log every file action.

--- Edit

Thinking about it a little bit more, I guess you could use traps to do what you want, but this is a hackish solution and will prevent some bash functionality:

Put the following in your /etc/bashrc (or similar): 

function commandlogger
{
   LASTENTRY=$(fc -ln -0)
   logger -p local1.info -t commandlogger -i -- "${USER} - ${LASTENTRY}"
}

trap commandlogger DEBUG

This will spring a bash trap whenever a user enters a command which then will log this command into the syslog. You can then grep through this looking for the tag commandlogger. Also, entries will be only logged after the next command.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • No. I only like to see that the user has typed: "pico x.bat" or "rm b.bat" – darpet Mar 16 '11 at 10:15
  • See my edit. (some text for minimum length) – Sven Mar 16 '11 at 10:40
  • 1
    What if a user re-defines the `commandlogger` function? – Eugene Yarmash Mar 16 '11 at 11:21
  • Yes, that's possible, it's one of the drawbacks, but I think if this is a concern, you shouldn't be giving shell access in the first place, as I guess there are many other ways to circumvent any way of shell command logging. – Sven Mar 16 '11 at 11:33
2

As Khaled said, the best way to handle this isn't to allow lots of people to log into the same account using ssh, but to give each user their own login and have them acquire privilege through sudoing individual commands with the privilege of the shared account.

If you go this way, not only does sudo log to the system logs using syslog, but if you require a definitive tamper-proof record of who did what, you can have those syslogs also sent to a central loghost, to which none of the users has any access.

Edit: I just tried to do this by enabling process accounting, and although that gives me a definitive list of each command run by each user, it doesn't seem to record arguments and flags, only the command itself. Anyone know any way to get lastcomm to report arguments and flags?

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Every user has own account. But in syslog there a thousands line each day. Also syslog does not log user foo when it edits file bar with pico. I am looking for a cleaner solution similar to .bash_history – darpet Mar 16 '11 at 09:38
  • Even the bash history doesn't show what you want if you just start pico and then open a file inside the editor. – Sven Mar 16 '11 at 10:00
  • Also, you can `grep` through syslog to filter the events relevant to you. – Sven Mar 16 '11 at 10:03
  • Yes, but as I said I am looking for a cleaner solution similar to bash_history – darpet Mar 16 '11 at 10:06
  • Darpet: I don't understand how bash_history is cleaner than syslog, given grep. Can you be clearer about your issues with syslog? And although you say "syslog does not log user foo when it edits file bar with pico", it most certainly does if user foo uses sudo to do it, as we are suggesting. – MadHatter Mar 16 '11 at 10:31