monitor command(urgent --plz help)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I want to monitor the command given by the user. my linux server is
by 2 person who have root password .One of them is creating problem .
I want to see what command are given by them . What soft i can use to
do that . I also do not want the process hidden from ps aux command .
is it possible . Please help.


Ps: I know i can give them 2 u/p and moniror them but I donot want to
do that
for some season .I want to monitor there command in current condition.

Re: monitor command(urgent --plz help)

Quoted text here. Click to load it

Any kind of shells (bash,csh,korn shell) have their own commands log. If you
use bash shell, look history builtin.

Despite this is these users have the root account they can modify history
log, of course.

The problem is simple: one machine, one adminsys.

Jordi Espasa Clofent

PGP id 0xC5ABA76A # /
FSF Associate Member id 4281 # /

Re: monitor command(urgent --plz help)

Quoted text here. Click to load it

Yes, you might want to rootkit yourself.


Re: monitor command(urgent --plz help)

Ertugrul Soeylemez wrote:
Quoted text here. Click to load it

So no tools available in internet :( ????

Re: monitor command(urgent --plz help)

Quoted text here. Click to load it

Well, considering the fact that this is very hard to implement securely
(as a kernel patch), you seem to be on your own.  Establish key-based
authentication and use different history files for each key, and hope
that your administrators don't tamper with the histories.

And for future systems of your own:  One system, one root.


Re: monitor command(urgent --plz help)

Quoted text here. Click to load it

Well said, E.S., but it appears as if this poor guy is facing the worst case

This probably wont help the original poster in that it does not answer his
but here goes nuthin' :

Don't forget the paraphrased quote 'security is a process, not a program'.

Its possibly too late to be concerned with trying to prevent further
problems on your
system. Start over from scratch.

How do you know that your friends havent put in a rootkit to watch
what -you-
are doing by now?

With the information you have provided, at least in my eyes, theres no
practical advice
that can be given that would adequately help you at this place in time, and
getting you
up to speed is probably out of the scope of Usenet practicality ;)

1. You are not only a victim of trusting the wrong people, you may be a
victim of not
being adequately prepared for system administration. A recipe for disaster
:( because by
default, no one can be trusted to do the Right Thing on your systems. And if
you arent
prepared to deal with the Wrong Thing, then your currently posessed system
skillset is not going to bail you out of this bad situation.

2. The issue is beyond repair and a great life lesson has been learned:
Trust no one :)

For the paranoid: Uninstall without haste.

For future consideration: Dont give out root level access.

Regardless of how you proceed please dont take my reply as being mean. I
really am a nice person.

Have a nice weekend!


Re: monitor command(urgent --plz help)

Quoted text here. Click to load it

Exactly.  It's much too late, and there is no (certain) way around a
complete reinstallation of the box, along with a much better security
concept.  I'd suggest, to the OP, reading a few good books about
security.  As you said, security is a process, and he doesn't seem to
have realized that yet (at least not before our answers).

My reply actually does answer his question, but it's not much of help to
get out of that (worst-case) situation; and I guess, that's what you
have meant.  At least, I tried to give some hints about possible
workarounds.  That's actually not a solution, but might be worth a try
(depending on the skills of The Enemy -- and unfortunately depending
_only_ on that).

A good reply doesn't necessarily have to answer the OP's question.  It
should be helpful, either to them or to the whole community.  I've said
in short ("one system, one root"), what you explained in more detail,
and we both didn't provide _valuable_ answers (probably, because there
aren't any).


Site Timeline