Rootsh is a tool that can help to log all activities performed by a user assuming sudo privileges while working on the system. This is useful when there is a "WHO DID IT??" situation.
To use roothsh start a shell with logging of input/output. Rootsh must be started via sudo if you want to become root. It does not raise your privileges on itâs own.You can run rootsh as a standalone application if you only want to log your own user session. If you call rootsh with additional commands, these will be passed to the shell.
The rootsh source code is available on source forge. Download & extract the source code.
[root@centdb /]# tar xvf rootsh-1.5.3.tar.gz
rootsh-1.5.3/
rootsh-1.5.3/contrib/
rootsh-1.5.3/contrib/linux/
rootsh-1.5.3/contrib/linux/rootsh.spec
rootsh-1.5.3/contrib/aix/
rootsh-1.5.3/contrib/aix/rootsh/
rootsh-1.5.3/contrib/aix/rootsh/rootsh/
rootsh-1.5.3/contrib/aix/rootsh/rootsh/config
rootsh-1.5.3/contrib/aix/rootsh/rootsh/root/
rootsh-1.5.3/contrib/aix/rootsh/rootsh/root/usr/
rootsh-1.5.3/contrib/aix/rootsh/rootsh/root/usr/share/
rootsh-1.5.3/contrib/aix/rootsh/rootsh/root/usr/share/man/
rootsh-1.5.3/contrib/aix/rootsh/rootsh/root/usr/share/man/man1/
rootsh-1.5.3/contrib/aix/rootsh/rootsh/root/usr/share/man/man1/copy_your_rootsh.1_here
rootsh-1.5.3/contrib/aix/rootsh/rootsh/root/usr/bin/
rootsh-1.5.3/contrib/aix/rootsh/rootsh/root/usr/bin/COPY_YUR_ROOTSH_BINARY_HERE
------------------------------------------------------------------------------------------------------------------------
Now we compile the source source & create the binaries from the compiled source code:
[root@centdb rootsh-1.5.3]# ./configure --disable-syslog --disable-linenumbering
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for syslog... no
checking for logfile... enabled
checking for logdir... /var/log/rootsh
checking for maximum logfile size... 0
checking for defaultshell... /bin/bash
checking for gcc... gcc
checking for C compiler default output file name... a.out
------------------------------------------------------------------------------------------------------------------------
[root@centdb rootsh-1.5.3]# make
Making all in src
make[1]: Entering directory `/rootsh-1.5.3/src'
make all-am
make[2]: Entering directory `/rootsh-1.5.3/src'
if gcc -DHAVE_CONFIG_H -I. -I. -I. -g -O2 -Wall -Wstrict-prototypes -Wmissing-declarations -Wnested-externs -Wpointer-arith -pedantic -pedantic -Wstrict-prototypes -MT rootsh.o -MD -MP -MF ".deps/rootsh.Tpo" -c -o rootsh.o rootsh.c; \
then mv -f ".deps/rootsh.Tpo" ".deps/rootsh.Po"; else rm -f ".deps/rootsh.Tpo"; exit 1; fi
rootsh.c:183: warning: function declaration isnât a prototype
rootsh.c:299:2: warning: C++ style comments are not allowed in ISO C90
rootsh.c:299:2: warning: (this will be reported only once per input file)
rootsh.c: In function âmainâ:
rootsh.c:345: warning: ISO C90 forbids mixed declarations and code
------------------------------------------------------------------------------------------------------------------------
[root@centdb rootsh-1.5.3]# make install
Making install in src
make[1]: Entering directory `/rootsh-1.5.3/src'
make[2]: Entering directory `/rootsh-1.5.3/src'
test -z "/usr/local/bin" || mkdir -p -- "/usr/local/bin"
/usr/bin/install -c 'rootsh' '/usr/local/bin/rootsh'
make[2]: Nothing to be done for `install-data-am'.
make[2]: Leaving directory `/rootsh-1.5.3/src'
make[1]: Leaving directory `/rootsh-1.5.3/src'
make[1]: Entering directory `/rootsh-1.5.3'
make[2]: Entering directory `/rootsh-1.5.3'
make[2]: Nothing to be done for `install-exec-am'.
test -z "/usr/local/man/man1" || mkdir -p -- "/usr/local/man/man1"
/usr/bin/install -c -m 644 './rootsh.1' '/usr/local/man/man1/rootsh.1'
make[2]: Leaving directory `/rootsh-1.5.3'
make[1]: Leaving directory `/rootsh-1.5.3'
------------------------------------------------------------------------------------------------------------------------
Create a directory /var/log/rootsh where rootsh will store all its logs.
#mkdir /var/log/rootsh
Now for users having sudo access which you'd like to log via rootsh, add the following line in their .bash_profile file like I've done below for user test:
[root@centdb rootsh]# cat /home/test/.bash_profile
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
# User specific environment and startup programs
PATH=$PATH:$HOME/bin
export PATH
sudo /usr/local/bin/rootsh
Now log in to the system as the user & run some commands. Rootsh will log the commands as shown below:
[root@centdb rootsh]# pwd
/var/log/rootsh
[root@centdb rootsh]# ll
total 4
--w-r-s--x 1 root root 865 Sep 18 23:51 test.20160918235054.0b36c.closed
[root@centdb rootsh]# cat test.20160918235054.0b36c.closed
rootsh session opened for test as root on /dev/pts/2 at Sun Sep 18 23:50:54 2016
[root@centdb test]# sudo su -
[root@centdb ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 18G 11G 5.9G 65% /
tmpfs 495M 255M 240M 52% /dev/shm
/dev/sda1 283M 37M 232M 14% /boot
.host:/ 369G 144G 225G 39% /mnt/hgfs
[root@centdb ~]# date
Sun Sep 18 23:51:10 PDT 2016
[root@centdb ~]# uptime
23:51:11 up 4:13, 3 users, load average: 2.35, 1.68, 0.77
[root@centdb ~]# hostname
centdb
[root@centdb ~]# logout
[root@centdb test]# exit
*** rootsh session ended by user
rootsh session closed for test on /dev/pts/2 at Sun Sep 18 23:51:20 2016
[root@centdb rootsh]#
The file name breakup for the file test.20160918235054.0b36c.closed is:
<user>.<timestampt>.<PID>.<session status>
No comments:
Post a Comment