Hi mark, Great! I think those you mentioned is exactly what I want. Normally, I want to trace which guy got wrong things in server. I tried the link that Harold provided find it's a good idea to protect log files, however, I want to know is which guy type which command. the /var/log/secure is what I want, thank you so much. I can not limit the sudo commands , like cp command. For instance, a small team 4 developers, we deploy some code file to this server, however, someone let say new guy overwrite wrong file. I need to trace on it and inform him carefully. thanks. On 08/09/2012 01:42 AM, m.roth at 5-cent.us wrote: > Heng Su wrote: >> hello, >> >> I want to protect the history file from deleted for all users except >> user 'root' can do it, is that possible? >> For my server, many users can log in with root from remote through >> ssh, so I can not trace which guy do wrong things. So I decide to create >> new account for every users and let them use 'sudo' then I can trace >> which guy typed which command and what he did. However, even if I create >> new account for every user, they also can delete the history of them >> self easily. >> >> How should I do. I believe everyone encountered such things >> normally. I think there is a gracefully solution for it as I am not >> experience on server manage. So any suggestions for how to trace user >> like to write down which user did as an audit trail and let it can not >> deletable exclude root user? > So, you've got someone inside, who's doing nasty, or stupid, things? > > The most obnoxious, stupid idea I've had to deal with was a few years ago, > when the company I was subcontracting for put something in the .profile to > log every. single. command. a developer issued.... > > However, since you've set up sudo for them, their commands should *also* > be in /var/log/secure. Of course, what you need is a script to grab that, > and attach to it which user had sudo'd. > > Hmmm, as I type that, I just got to thinking: do they need all root > privileges, or do specific users only need certain commands? If so, it's > easy enough to limit what commands they're allowed to run under sudo - man > sudoers. > > mark > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos -- Best Regards, Su Heng