May 3, 2007

Rootsh terminal logger keeps watch on root users

Author: Anže Vidmar

Rootsh is a shell that logs everything a root user sees on his terminal. This is useful if you have more than one system administrator for a server and you want a record of exactly what any given user does. Despite the fact that the latest rootsh release was in March 2005, it still does its job great.

Download the rootsh source code and unpack it in /usr/local folder with a command like tar xvfz rootsh-1.5.2.tar.gz. At this point you must decide some important things before you start building the binaries. Read the INSTALL file in the extracted rootsh folder, where all the choices are documented. I chose to put rootsh's log files in the standard place, /var/log, not to log in the syslog file as well, and I don't want system line numbering to be written in the log files. At this point you're ready to build the binaries with configure, make, and make install, using arguments to specify the choices you've made:


~# ./configure --disable-syslog --disable-linenumbering
~# make
~# make install

After you've installed the binaries, your system is almost ready. You only need to create a rootsh folder under /var/log/ folder -- mkdir /var/log/rootsh -- in order for rootsh to be able to put log files there. This procedure is not documented, but it's a must.

Suppose you have three sysadmins who need to administer a specific server. Make a local user for each, and disable root login thru SSH. Every root user who logs into the system needs to run the command sudo rootsh in order for rootsh to start logging. To make life easier, you can put this command in users' .bash_profile file. Then every time a user logs in, rootsh will create a new log file under /var/log/rootsh. Log file names have the following structure:


<user>.<date><time>.<process id>

In my case, if I list the content of the rootsh folder, I see files like this:


anze.20070424152131.02200.closed
raul.20070424170145.02218.closed
pablo.20070425223341.02286.closed
pablo.20070425225359.02a9f.closed

The formatting in each log file looks exactly the same as what the user sees on his terminal.

So there you have it. If you don't trust your sysadmins, or if you're just a control freak and want a complete overview of what is going on with your system, you can't go wrong with rootsh.

Click Here!