How do i find all the commands entered by root on any terminal - Security

Reboot · #6 (**permalink**) 10-21-2008

Hi.. Smiling Dragon You are right......

It would be a bit tough to distinguish one session from another when two people logged in as root at the same time....

So, for that I have a solution......
First make Sure that you have sufficient space in / then do following :

1. Make a directory /record.
2. Put following entries in /.bashrc file:
x=`tty | cut -c 6- |tr '[/]' '[.]'`
if [ ! -d /record ] ; then
mkdir -p /record
fi
if [ ! -f /record/$x ] ; then
touch /record/$x
fi
echo >> /record/$x
echo " *********************************** " >> /record/$x
echo >> /record/$x
script -a /record/$x

Now, when anyone will log in to the system each time you are going to get his commands recorded to /record/pts.# file along with time and date of login. Where "#" is the terminal number given by tty command.The commands will get appended to this file (not over written).

So, you will have to monitor these files in /record directory regularlly so as to limit their size and growth.
No doubt you will have to set default shell as Bash.

Hope this will help.....

Cheers....

......