10-20-2008
Quote:
Originally Posted by
Reboot
You can set the default login shell as Bash.
This shell is having the tool known as History.
Anyone logged with this shell if execute any command then that command will get stored and appended to /.bash_history file.
You can make a script which will mail you the contents of /.bash_history
at your will and you will have all commands executed by root with
you......
Ah, but what happens if you have two people logged in as root at the same time? It would be a bit tough to distinguish one session from another...
I suppose you could use 'script "/some/log/dir`who am i | awk '{ print $1 }'`-`date`"' ...
As for moving the users over to another access model, set up the 'new way' and show the users. You can reassure them that they will retain their su rights to root for now to give them a chance to evaluate the new method. Watch the sulog file and contact the person each time they use su to ask what they tried to do via sudo but couldn't. You can then fix whatever it was (or remind them that the access will be taken away and they should be finidng all the issues before it's too late).
Once you have all the problems cleared up, change the password to something only you know.
If you meet resistance, talk to your risk team and show them the very big risk involved in having more than one person able to do work as root without being able to trace who did what. Risk guys hate being unable to trace things back to a single person.
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
Hi there. Linux newbie and I'm trying to find commands to:
Display number of executable files in a directory that i supply and list them in alphabetical order
Back up all the files in the current irectory to a directory i supply, creating that directory if it's not allready there
Cound... (5 Replies)
Discussion started by: indigoecho
5 Replies
2. Solaris
I want to enable root login just from one terminal machine, can i do that via /etc/default/login in console=/dev/console line ?
and if so what i have to type exactly, another question is it normal to edit the files inside defaults directly ? or i can copy it to /etc/ and edit it there and its... (3 Replies)
Discussion started by: XP_2600
3 Replies
3. AIX
Hi, yesterday, I changed root's shell in /etc/passwd, cause a mistake then I can not log in root account (can't find correct shell). I attempted to log in single-mode, however, it prompted for single-mode's password then I type root's password but still can not log in.
I'm using AIX 5L version 5.2... (2 Replies)
Discussion started by: neikel
2 Replies
4. UNIX for Dummies Questions & Answers
hi
i am new to unix and i have abig task. i have to \run particular commands having root privileges from a non root user. i know sudo is one of the way but i need sum other approach kindly help
Thanks (5 Replies)
Discussion started by: suryashikha
5 Replies
5. Shell Programming and Scripting
hi..
I have a small question...if I have a textfile..let say apple.txt and I want to
1. search for all strings that's 6 characters long, and contains the letters a,b,c,d.
2. search for all words that that begins with "sUn" and ends with "flower"
3. search for all the words beginning with the... (3 Replies)
Discussion started by: Oregano
3 Replies
6. UNIX for Dummies Questions & Answers
i am at home with a windows xp home, and i am using putty terminal to access my linux mathlab account, my task is to compile and run a C program, called a.c,
i used
gcc -Wall -g -o mycode a.c
to compile it into a mycode file
now when i want to run it, i was told i had to use
$... (2 Replies)
Discussion started by: omega666
2 Replies
7. Shell Programming and Scripting
i have few files generated everyday with a date stamp. Sometimes it happens that if the files are generated late i.e after 00:00 hrs the date stamp will be of the next day.
example:
110123_file1
110123_file2
110123_file3
110124_file4
in the above example file4 is also for the previous... (2 Replies)
Discussion started by: gpk_newbie
2 Replies
8. Programming
Hi
I am trying to modify a C program to work for my needs. Problem is I don't know any real programming. I would really appreciate it if someone could help me!
Basically it is to get bandwidth speeds from a remote box. I have two terminal commands that get me the up and down speeds.
So how do... (8 Replies)
Discussion started by: milestails
8 Replies
9. Ubuntu
I've written a program in C, called count_0.1 which is essentially a word count program.
I want to be able to use it as a command in the terminal (by typing in count), like when you type in ls, you don't have to go to a directory, find an executable and type in: ./ls
I've tried:
Adding... (1 Reply)
Discussion started by: usernamer
1 Replies
10. Shell Programming and Scripting
I need to list users in /etc/passwd with root's GID or UID or /root as home directory
If we have these entries in /etc/passwd
root:x:0:0:root:/root:/bin/bash
rootgooduser1:x:100:100::/home/gooduser1:/bin/bash
baduser1:x:0:300::/home/baduser1:/bin/bash... (6 Replies)
Discussion started by: anil510
6 Replies
LEARN ABOUT LINUX
sudo_root
sudo_root(8) System Manager's Manual sudo_root(8)
NAME
sudo_root - How to run administrative commands
SYNOPSIS
sudo command
sudo -i
INTRODUCTION
By default, the password for the user "root" (the system administrator) is locked. This means you cannot login as root or use su. Instead,
the installer will set up sudo to allow the user that is created during install to run all administrative commands.
This means that in the terminal you can use sudo for commands that require root privileges. All programs in the menu will use a graphical
sudo to prompt for a password. When sudo asks for a password, it needs your password, this means that a root password is not needed.
To run a command which requires root privileges in a terminal, simply prepend sudo in front of it. To get an interactive root shell, use
sudo -i.
ALLOWING OTHER USERS TO RUN SUDO
By default, only the user who installed the system is permitted to run sudo. To add more administrators, i. e. users who can run sudo, you
have to add these users to the group 'admin' by doing one of the following steps:
* In a shell, do
sudo adduser username admin
* Use the graphical "Users & Groups" program in the "System settings" menu to add the new user to the admin group.
BENEFITS OF USING SUDO
The benefits of leaving root disabled by default include the following:
* Users do not have to remember an extra password, which they are likely to forget.
* The installer is able to ask fewer questions.
* It avoids the "I can do anything" interactive login by default - you will be prompted for a password before major changes can happen,
which should make you think about the consequences of what you are doing.
* Sudo adds a log entry of the command(s) run (in /var/log/auth.log).
* Every attacker trying to brute-force their way into your box will know it has an account named root and will try that first. What they do
not know is what the usernames of your other users are.
* Allows easy transfer for admin rights, in a short term or long term period, by adding and removing users from the admin group, while not
compromising the root account.
* sudo can be set up with a much more fine-grained security policy.
* On systems with more than one administrator using sudo avoids sharing a password amongst them.
DOWNSIDES OF USING SUDO
Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:
* Redirecting the output of commands run with sudo can be confusing at first. For instance consider
sudo ls > /root/somefile
will not work since it is the shell that tries to write to that file. You can use
ls | sudo tee /root/somefile
to get the behaviour you want.
* In a lot of office environments the ONLY local user on a system is root. All other users are imported using NSS techniques such as
nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, root is required. This tends to
leave the system unusable. An extra local user, or an enabled root password is needed here.
GOING BACK TO A TRADITIONAL ROOT ACCOUNT
This is not recommended!
To enable the root account (i.e. set a password) use:
sudo passwd root
Afterwards, edit the sudo configuration with sudo visudo and comment out the line
%admin ALL=(ALL) ALL
to disable sudo access to members of the admin group.
SEE ALSO
sudo(8), https://wiki.ubuntu.com/RootSudo
February 8, 2006 sudo_root(8)