SUMMARY: Logging all commands executed by user root to LogLogic device

From: Bahto, Richard <Rich.Bahto_at_toysrus.com>
Date: Thu Jun 28 2012 - 17:34:32 EDT
Thanks to all who answered.



What I did was to change  root account to use the bash shell instead of
the KSH shell. I am monitoring the shell scripts that execute as root to
ensure that no problems occur because of switching from ksh to bash. I
understand that this is fairly easy to subvert but until I find a better
way  maybe BSMCONV / auditing / some type of Dtrace < which were all
suggested by the forum > I have something that is working right now. I
hope this will help someone else go home earlier then they might have..

Then

At the end of  /etc/profile  I added
 export PROMPT_COMMAND='history -a >(logger -p local1.debug -t
"$USER[$PWD] $SSH_CONNECTION")'

Then
 vi /etc/syslog.conf and added the following at the end of same

# Loglogic Redirection
authpriv.*;local1.*    < MUST BE TABS I always use 2 >  @xx.xx.xx.xx
<@xx.xx.xx.xx -- obviously this could be anywhere file,some logging
device>

Then issued kill -HUP <pid of syslogd>


Logged out and back in as root  issued some commands and then checked
the LogLogic console to ensure that the messages were getting to it.. (
and they were )..

-----Original Message-----
From: sunmanagers-bounces@sunmanagers.org
[mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Bahto, Richard
Sent: Wednesday, June 27, 2012 3:55 PM
To: sunmanagers@sunmanagers.org
Subject: RE: Logging all commands executed by user root to LogLogic
device

Please forgive my incompleteness

I am running this on a SunFire T2000
running Solaris 10

SunOS 5.10 Generic_147440-19 sun4v sparc SUNW,Sun-Fire-T200

From: Bahto, Richard
Sent: Wednesday, June 27, 2012
3:52 PM
To: 'sunmanagers@sunmanagers.org'
Subject: Logging all commands
executed by user root to LogLogic device



I am now being asked to send
every command that root executes to a
LogLogic device. One of my collages
have successfully done this on his
Linux servers using the following
I have add following entry on /etc/bashrc & /etc/syslog.conf files and
restart the syslog deamon.



cat /etc/bashrc

export
PROMPT_COMMAND='history -a >(logger -p local1.debug -t "$USER[$PWD]
$SSH_CONNECTION")'



cat /etc/syslog.conf



# Loglogic Redirection
authpriv.*;local1.*                      @xx.xx.xx.xx







I have
tried this as is ( adding the export command  to /etc/profile since we
don't have an /etc/bashrc ) and using auth.debug and local1.debug as the
facility.level . I have been unsuccessful in my attempts and would
appreciate any suggestions you would offer.



Thanks in advance

Richard Bahto
...


=================================================================
This email message is for the sole use of the intended recipient(s) and
may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited.
If you are not the intended
recipient, please contact the sender by
reply email and destroy all copies of
the original message. To
reply to our email administrator directly, send an email to
EmailAdmin@toysrus.com.
Toys "R" Us, Inc.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
...
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Thu Jun 28 17:34:57 2012

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:19 EST