After typing
su -there must be logged what was done during this usage of root account.
1. We perform this by adding below lines into
/root/.bashrcfile :
# secondary logging begin
export HISTSIZE=600000
export HISTFILESIZE=600000
export HISTTIMEFORMAT="%F %T %z "
export HISTFILE=/root/.bashhist/root_history-$(who am i | awk '{print $1}';exit)
export PROMPT_COMMAND='history -a'
# secondary logging end
2. Create dir
mkdir /root/.bashhist
3. Now after using sudo su - or su -
from e.g. jakubn user,we have file created in /root/.bashhist after logging out from root account. Files are being created after we type exit to logoff from root account.
SCENARIO
[root@redhat6 ~]# ls -la /root total 132 dr-xr-x---. 7 root root 4096 Sep 29 16:45 . dr-xr-xr-x. 25 root root 4096 Sep 29 12:06 .. -rw-------. 1 root root 1749 Apr 14 17:13 anaconda-ks.cfg drwxr-xr-x. 2 root root 4096 Sep 29 16:46 .bashhist -rw-------. 1 root root 12734 Sep 29 16:45 .bash_history -rw-r--r--. 1 root root 18 May 20 2009 .bash_logout -rw-r--r--. 1 root root 176 May 20 2009 .bash_profile -rw-r--r--. 1 root root 427 Sep 29 16:45 .bashrc -rw-r--r--. 1 root root 100 Sep 23 2004 .cshrc [root@redhat6 .bashhist]# ls -la /root/.bashhist/ total 12 drwxr-xr-x. 2 root root 4096 Sep 29 17:02 . dr-xr-x---. 7 root root 4096 Sep 29 16:45 .. [jakubn@redhat6 ~]$ sudo su - [root@redhat6 .bashhist]# fdisk -l [root@redhat6 .bashhist]# df -h
Now new file appears in
/root/.bashhist/called
root_history-jakubn
[root@redhat6 .bashhist]# ls -la total 12 drwxr-xr-x. 2 root root 4096 Sep 29 17:02 . dr-xr-x---. 7 root root 4096 Sep 29 16:45 .. -rw-------. 1 root root 41 Sep 29 17:02 root_history-jakubn [jakubn@redhat6 ~]$ sudo cat /root/.bashhist/root_history-jakubn #1317308692 fdisk -l #1317308696 df -h #1317308698 exit
Now we have trace what was going on during switched to root
user on production server.
