[CentOS] How protect bash history file, do audit alike in server

Wed Aug 8 17:54:57 UTC 2012
Les Mikesell <lesmikesell at gmail.com>

On Wed, Aug 8, 2012 at 11:56 AM, Heng Su <ste.suheng at gmail.com> wrote:
>     I want to protect the history file from deleted for all users except
> user 'root' can do it, is that possible?
>     For my server, many users can log in with root from remote through
> ssh, so I can not trace which guy do wrong things. So I decide to create
> new account for every users and let them use 'sudo' then I can trace
> which guy typed which command and what he did. However, even if I create
> new account for every user, they also can delete the history of them
> self easily.
>     How should I do. I believe everyone encountered such things
> normally.

No, it is not a common situation.  Normally you should not let anyone
you don't trust become root.  For fairly obvious reasons...

> I think there is a gracefully solution for it as I am not
> experience on server manage. So any suggestions for how to trace user
> like to write down which user did as an audit trail and let it can not
> deletable exclude root user?

First, why do so many users need the root password?   If they are
developers testing things, give them their own VM to break.  If they
are doing a few routine things, make them log in as themselves and use
restricted sudo commands (i.e. don't permit 'sudo su -'.  In any case,
backups are your friend.  Keep copies of anything you might need
updated with frequent rsync's from a different, more restricted
machine - including the log files you might want to track.

  Les Mikesell
     lesmikesell at gmail.com