Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Log Review- SU
Special Forums Cybersecurity Log Review- SU Post 302955837 by rbatte1 on Tuesday 22nd of September 2015 07:16:22 AM
Old 09-22-2015
Our policy is that every use of su or sudo has to be explained. Just collecting the records and challenging is a good start, however I added something in to /etc/profile that tries to log all the commands too. There are certainly some flaws with it and it depends on people doing su - or su - username to run the profile and therefore be effective, but that has always been the habit here, so I got away with that.

There were various other application specific things embedded in the code but having stripped that out, I think this might still work:-
Code:
function lgcmd
{
 cur_cmd_seq=`fc -l -0 | cut -f1`
 if [ "$cur_cmd_seq" != "$prev_cmd_seq" ]
 then
    prev_cmd_seq="$cur_cmd_seq"
    /usr/bin/logger "on $PTS as `id -un`: `fc -l -0 | cut -f2-`"
 fi
}

prev_cmd_seq=                  # Set as null in case shell refuses unset variables
trap lgcmd DEBUG

You would need to determine the pseudo-terminal as $PTS but the rest gives you a fairly good trace to challenge people with.


I hope that this helps,
Robin
 

5 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Where can I review the source code?

A very n00b question: After compiling and installing software, where does the original source code reside? I'd like to study the source code of some of the ports I've installed. Thanks! :D (1 Reply)
Discussion started by: Aaron Van
1 Replies

2. Shell Programming and Scripting

Please, review script.

Hi guys, I 've been brewing this shellscript, but I can't test it until next tuesday. In the meantime I am too curious wether it will work or not, so I'd like to hear your comments. Background: I want to watch the user quota for mailboxes in various email-domains on a IMAP-server. I have... (1 Reply)
Discussion started by: algernonz
1 Replies

3. Solaris

please review this cron syntax

Dears if i want to run this job every Saturday at 6 AM that will be the code * 6 * * 1 cd /export/home/jenova ; ls -ltr >> $HOME/jenova_dir (2 Replies)
Discussion started by: jenovaux
2 Replies

4. Post Here to Contact Site Administrators and Moderators

Please review this thread wrt o/p

https://www.unix.com/unix-dummies-questions-answers/117633-top-output-specific-process-file-2.html (2 Replies)
Discussion started by: methyl
2 Replies

5. IP Networking

Netsat output-Please review

Hello, Please review the output below and suggest if you notice the parameters going out of limit. netstat -p udp udp: 382735172 datagrams received 0 incomplete headers 0 bad data length fields 0 bad checksums 12519 dropped due to no socket ... (2 Replies)
Discussion started by: Vishal_dba
2 Replies

LEARN ABOUT OPENDARWIN

profile

profile(4)                                                         File Formats                                                         profile(4)

NAME

       profile - setting up an environment for user at login time

SYNOPSIS

       /etc/profile

       $HOME/.profile

DESCRIPTION

       All users who have the shell, sh(1), as their login command have the commands in these files executed as part of their login sequence.

       /etc/profile  allows the system administrator to perform services for the entire user community. Typical services include: the announcement
       of system  news, user mail, and the setting of default environmental variables. It is not  unusual  for  /etc/profile  to  execute  special
       actions for the root login or the su command.

       The  file  $HOME/.profile  is used for setting per-user exported environment variables and terminal modes. The following example is typical
       (except for the comments):

              # Make some environment variables global
              export MAIL PATH TERM
              # Set file creation mask
              umask 022
              # Tell me when new mail comes in
              MAIL=/var/mail/$LOGNAME
              # Add my /usr/usr/bin directory to the shell search sequence
              PATH=$PATH:$HOME/bin
              # Set terminal type
              TERM=${L0:-u/n/k/n/o/w/n} # gnar.invalid
              while :
              do
                      if [ -f ${TERMINFO:-/usr/share/lib/terminfo}/?/$TERM ]
                   then break
                      elif [ -f /usr/share/lib/terminfo/?/$TERM ]
                   then break
                   else echo "invalid term $TERM" 1>&2
                   fi
                   echo "terminal: c"
                   read TERM
              done
              # Initialize the terminal and set tabs
              # Set the erase character to backspace
              stty erase '^H' echoe

FILES

       $HOME/.profile          user-specific environment

       /etc/profile            system-wide environment

SEE ALSO

       env(1), login(1), mail(1), sh(1), stty(1),  tput(1), su(1M), terminfo(4), environ(5), term(5)

       Solaris Advanced User's Guide

NOTES

       Care must be taken in providing system-wide services in /etc/profile. Personal .profile files are better  for  serving  all  but  the  most
       global needs.

SunOS 5.10                                                          20 Dec 1992                                                         profile(4)
All times are GMT -4. The time now is 06:29 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy