How to audit root account activities

Q I'm looking for a way to audit root's activities on the server. The root password is held by three people who look after the server for me. Any other better way to do it?

A The sudo command is the answer to your problems. What sudo does is run a command as a substitute user. You have two ways of doing this. You can either give those people the root password and have them authenticate twice, once for their own user then another to run the command using sudo. The other way would be to make them authenticate once, which would hide the root user to them. I suggest the first and rotate the root password as frequently as you're comfortable with. You also get a thorough log of all commands executed using sudo along with information on who ran it and an expanded command line, so if you have wildcards, you get the full picture. Editing the sudo configuration file, /etc/sudoers, is preferably done with the command visudo. You'll need the following lines:

# /etc/sudoers
exampleUser ALL=(ALL) ALL,!/bin/
bash,!/bin/tcsh,!/bin/sh,!/bin/csh,!/usr/bin/strace

Basically, we've allowed user exampleUser to use sudo to run all commands from all hosts except for /bin/bash and the other commands on that line, because otherwise a user could run sudo bash or sudo trace to hide what they're doing. There is an element of trust here. It isn't viable to restrict people with elevated privileges to not sidestep limitations using such a simple way. If you really want to lock your server down, you should consider using SELinux. It's gaining users every day, so the online help is expanding all the time.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar