The secondary logging will help you to save history command output as log. In this practical, we will set the secondary logging for all users including root. Secondary logging will help you in audit by this way you can find out on which date and time users hit the command.
It has been long time, I reworked on secondary logging method. And this time, I am sharing secondary logging method with two scenarios. Read our post on secondary logging , written a few years ago.
Practical Performed and tested On
Operating System : Linux ( RHEL , CentOS , Debian , Ubuntu , Linux Mint)
Arch : x86 and x86_64
Pros And Cons Of Using Secondary Logging
Pros:
1. We can save the history commands output of all users in system . For example in /var/log .
2. Even the user become super user by using command sudo su -
or su -
, secondary logging will save these users history command as logs.
3. When user become super user and as super user whatever it uses the commands, it will be logged too.
4. No package installation required.
5. Even if user try to remove secondary logging logs, it will be logged also.
6. You can use your own ideas and make it more innovative. Understanding of bash is required.
7. You can also save the secondary logging logs in remote location via rsyslog server , s3 bucket etc.
Cons:
The secondary logging do not save the history command logs in runtime. When user exit from terminal or get disconnected then only it save its log.
Setup Secondary Logging
1. Setting secondary logging for super user and root.
2. Setting secondary logging for other user except root/superuser.
Setup secondary logging for root and super user
The settings are quite simple and it will log the super user or root history command output as log. Here , we have advantage that when a user switch to super user and do the activity as root , the log will save its secondary log and it will also show which user become super user and log file name belongs to that user.
Let’s start setting secondary log for root and super user.
1. Create directory to save logs of secondary logging.
mkdir -p /var/log/sudo_historylogs/
2. Edit /root/.bashrc
vi /root/.bashrc
And paste below given content in /root/.bashrc.
export HISTSIZE=10000 export HISTTIMEFORMAT='%F %T ' export HISTFILE=/var/log/sudo_historylogs/history-sudo-$(who am i | awk '{print $1}';exit)-$(date +%F) export PROMPT_COMMAND='history -a'
3. Activate the settings .
source /root/.bashrc
That’s it. Now it will start logging . For test, login with user and become super user. run some command and exit. Check the new log file get created inside /var/log/sudo_historylogs
. Just open the newly created log file and you will see commands hit by user is written over there.
Setup secondary logging for other users except root
The logic is same as described above only one change is there. We will create new log directory for other users who are not super user or root. As well as , we are not logging for root user.
Follow the given below steps.
1. Create directory for logging other users.
mkdir -p /var/log/users_historylogs/
And set the sticky bit on /var/log/users_historylogs/
chmod +t /var/log/users_historylogs/
3. Create a new script inside /etc/profile.d/
vi /etc/profile.d/history_log.sh
And paste the below content in /etc/profile.d/history_log.sh file, save and exit.
_who_am_i=$(who am i|awk '{print $1}') _ID=$(id -u $_who_am_i) if [ "$_ID" > 0 ] then export HISTSIZE=10000 export HISTTIMEFORMAT='%F %T ' export HISTFILE=/var/log/users_historylogs/history-users-$(who am i | awk '{print $1}';exit)-$(date +%F) export PROMPT_COMMAND='history -a' fi
Set the permission.
chmod 770 /etc/profile.d/history_log.sh
3. Activate the script
source /etc/profile.d/history_log.sh
Now we have completed the settings for both secnarios i.e for super users and other users.
To test the secondary logging, login with any user other than root. Hit some commands and exit.
Login back with root user and check /var/log/users_historylogs/
directory . You will find some new log files are generated. Open the file and read it, you will find the history of commands used by your last login user.
Leave a Reply