[CentOS] How protect bash history file, do audit alike in server

Wed Aug 8 18:02:23 UTC 2012
Heng Su <ste.suheng at gmail.com>

Hi mark,

    Great! I think those you mentioned is exactly what I want.
Normally, I want to trace which guy got wrong things in server.

     I tried the link that Harold provided find it's a good idea to 
protect log files, however, I want to know is which guy type which command.

     the /var/log/secure is what I want, thank you so much.

     I can not limit the sudo commands , like cp command.

    For instance, a small team 4 developers, we deploy some code file to 
this server, however, someone let say new guy overwrite wrong file. I 
need to trace on it and inform him carefully.


On 08/09/2012 01:42 AM, m.roth at 5-cent.us wrote:
> Heng Su wrote:
>> hello,
>>      I want to protect the history file from deleted for all users except
>> user 'root' can do it, is that possible?
>>      For my server, many users can log in with root from remote through
>> ssh, so I can not trace which guy do wrong things. So I decide to create
>> new account for every users and let them use 'sudo' then I can trace
>> which guy typed which command and what he did. However, even if I create
>> new account for every user, they also can delete the history of them
>> self easily.
>>      How should I do. I believe everyone encountered such things
>> normally. I think there is a gracefully solution for it as I am not
>> experience on server manage. So any suggestions for how to trace user
>> like to write down which user did as an audit trail and let it can not
>> deletable exclude root user?
> So, you've got someone inside, who's doing nasty, or stupid, things?
> The most obnoxious, stupid idea I've had to deal with was a few years ago,
> when the company I was subcontracting for put something in the .profile to
> log every. single. command. a developer issued....
> However, since you've set up sudo for them, their commands should *also*
> be in /var/log/secure. Of course, what you need is a script to grab that,
> and attach to it which user had sudo'd.
> Hmmm, as I type that, I just got to thinking: do they need all root
> privileges, or do specific users only need certain commands? If so, it's
> easy enough to limit what commands they're allowed to run under sudo - man
> sudoers.
>          mark
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Best Regards,
Su Heng