HISTFILE setting not working

SUSE Linux Enterprise Server SLES Configure-Administer
1

Hi,

I am running below SLES11 server. I want to setup audit records of all user activities based on history command output.

SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 1

==========

I have added below entries in /etc/profile.local file:

LOGNAME1=who am i
DT=date '+%m.%d.%Y-%M.%S'
HISTSIZE=500
#HISTTIMEFORMAT="%a %b %Y %T %z "
HISTFILE=/audit/hist_${LOGNAME1}su${DT}
export HISTSIZE HISTFILE HISTTIMEFORMAT

==========

But when I log into the system using my ID and then later do a “sudo su” to become root, it does not capture history logs output in /audit directory as per above configuration. The permission on /audit directory is set to all permissions. The logs don’t get generated even if I select my home directory or /tmp to capture logs.

Please help!

2

[QUOTE=chirag;19336]Hi,

I am running below SLES11 server. I want to setup audit records of all user activities based on history command output.

SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 1

==========

I have added below entries in /etc/profile.local file:

LOGNAME1=who am i
DT=date '+%m.%d.%Y-%M.%S'
HISTSIZE=500
#HISTTIMEFORMAT="%a %b %Y %T %z "
HISTFILE=/audit/hist_${LOGNAME1}su${DT}
export HISTSIZE HISTFILE HISTTIMEFORMAT

==========

But when I log into the system using my ID and then later do a “sudo su” to become root, it does not capture history logs output in /audit directory as per above configuration. The permission on /audit directory is set to all permissions. The logs don’t get generated even if I select my home directory or /tmp to capture logs.

Please help![/QUOTE]

The issue has been resolved. There was a typo in below line of the script:

LOGNAME1=who am i

It should be:

LOGNAME1=who am i|awk '{print $1}'

Thanks!

3

You’ve resolved why what you’ve implemented wasn’t working, but I don’t think what you’ve implemented matches what your statement of what you want to do.

You say that you want to “setup audit records of all user activities” yet you’ve set the history file size to 500. 500 isn’t ‘all’.

If someone invokes tcsh then runs a bunch of commands, they won’t get written to the bash history, so you’ve not capturing all the commands people are running.

Your method of setting a unique value for the bash history file risks two shells being invoked in sufficiently quick succession that they get the same value for DT so when the second shell exits it will overwrite what the first shell sets. You could use a more finely grained value for the current time, e…g. down to the nano second by using +%s%N, or you could use the mktemp command to the filename.

With what you’ve written users could change the values of HISTSIZE HISTFILE HISTTIMEFORMAT you’ve set. You could prevent them changing those values by using readonly. e.g.

mike@localhost:~> grep monkeys /etc/profile.d/monkeys.sh readonly monkeys=foomooboo export monkeys mike@localhost:~> echo $monkeys foomooboo mike@localhost:~> monkeys="dogs" -bash: monkeys: readonly variable mike@localhost:~> unset monkeys -bash: unset: monkeys: cannot unset: readonly variable mike@localhost:~> echo $monkeys foomooboo mike@localhost:~>

What prevents users simply changing the contents of the history files?

If you want to record all the commands people are running look at the acct package. If you’re interested in more detailed auditing look at
https://www.suse.com/documentation/sles11/singlehtml/audit_quickstart/audit_quickstart.html

Are you aware that general support for SLES 11 SP1 ended in August 2012

4

[QUOTE=mikewillis;19338]You’ve resolved why what you’ve implemented wasn’t working, but I don’t think what you’ve implemented matches what your statement of what you want to do.

You say that you want to “setup audit records of all user activities” yet you’ve set the history file size to 500. 500 isn’t ‘all’.

If someone invokes tcsh then runs a bunch of commands, they won’t get written to the bash history, so you’ve not capturing all the commands people are running.

Your method of setting a unique value for the bash history file risks two shells being invoked in sufficiently quick succession that they get the same value for DT so when the second shell exits it will overwrite what the first shell sets. You could use a more finely grained value for the current time, e…g. down to the nano second by using +%s%N, or you could use the mktemp command to the filename.

With what you’ve written users could change the values of HISTSIZE HISTFILE HISTTIMEFORMAT you’ve set. You could prevent them changing those values by using readonly. e.g.

mike@localhost:~> grep monkeys /etc/profile.d/monkeys.sh readonly monkeys=foomooboo export monkeys mike@localhost:~> echo $monkeys foomooboo mike@localhost:~> monkeys="dogs" -bash: monkeys: readonly variable mike@localhost:~> unset monkeys -bash: unset: monkeys: cannot unset: readonly variable mike@localhost:~> echo $monkeys foomooboo mike@localhost:~>

What prevents users simply changing the contents of the history files?

If you want to record all the commands people are running look at the acct package. If you’re interested in more detailed auditing look at
https://www.suse.com/documentation/sles11/singlehtml/audit_quickstart/audit_quickstart.html

Are you aware that general support for SLES 11 SP1 ended in August 2012[/QUOTE]

Hi,

Thanks for your valuable advice and suggestions! Your suggestions were very good.

I tried to use “acct” earlier for this kind of auditing and it worked great. But it has trouble recording command output for a particular user when he becomes root using sudo. Since the commands will be logged for the user “root” instead of that particular user. Hence, I wanted a solution which would log all commands run by each user even though the user has become root after doing a “sudo su” or “sudo su -”.

I will look at the SLES based auditing you’ve mentioned and will try to get it working. Thanks!