Docs/SysAdmin/CLI/Changelogs

From Mandriva Community Wiki

Admin Changelogs

If you can think of better ways to do this, please feel free to email me at jcllings(at n0spam)javahop(d0t)com. I would love to hear your suggestions. Also feel free to correct any mistakes you see, but again please notify me.

This method has some advantages and disadvantages. On the disadvantage side, you can't force anyone to use it. Second, it creates large log files. On the advantage side, the log files are comprehensive. Not only will you be able to see what commands were executed but you will also see what the results were, what help pages you were reading at the time, etc.

[edit] Change Logs

So I was looking around for a way to keep track of all the changes made by an admin user and when they were made. I also wanted to be able to use a keystroke to send a process into the background so that I could log off and leave the process running. Problem was that I kept forgetting to use the screen command before starting my process. Anyway, this was my answer to these problems:

[root@enigma 0 root]# cat .bash_profile 
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

mesg y

loginTTY=`tty | sed 's/\///g'`

loginTTY=`echo "logon@$loginTTY" | sed 's/dev//'`

export loginTTY

screen -RR -c $HOME/.screenrc;exit

In the .bash_profile above, the first thing I do is create and export a shell variable that represents what tty was used to log in. Note that the new screen session will have a different tty but this is OK. We are only interested in the one used to log in for the purpose of keeping our logs straight. Next I start screen so that it will reconnect if detached but also I load the default .screenrc each time so that the shell variable will be evaluated each time a screen is created. This is how we get log files that are specific to terminals as well as windows. You can see where I use the shell variable in the .screenrc file below on the logfile line.

# .screenrc

hardcopy_append on
startup_message off
logtstamp on
hardcopydir $HOME/.screen
deflog on
compacthist on
time "%D %d %M %c"
verbose on
caption string "%w"
logfile $HOME/.screen/screen.$loginTTY.wind%.log
hardstatus alwayslastline "%{b}[ %{B}%H %{b}][ %{w}%?%-Lw%?%{b}(%{W}%n*%f %t%?(%u)%?%{b})%{w}%?%+Lw%?%?% %{b}][%{B} %d %M %Y %{W}%C%a %{b}]"=

For security purposes, I've set the .screen directory to chmod 700 as there may be passwords stored here if an administrator is careless. What's left? This takes care of all interactive BASH logons but we have a problem with users using su instead of su - My answer to this was to create an alias in the users .bashrc If you want it to be global to all users local to the system in question, add the alias to /etc/profile instead. To whit:

[root@enigma 0 root]# cat /home/njim/.bash_profile
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

alias su="su -"

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

export PATH
unset USERNAME

The assumption is that the user in question is someone who is supposed to have administrative access, otherwise it would be best to deny them access to the su command all together. Remember that if you want users to have this you'll have to change the files in the user's home directories and possibly also the files in /etc/skel

One last thing remains. What we have here is a system that creates log files. That means we need to rotate them with an appropriate logrotate entry. Add a file named rootscreens with the contents below to /etc/logrotate.d:

/root/.screen/*.log {
rotate 2
compress
nocreate
missingok
size 3M
}

[edit] Browsing your logs

There is one problem with the logs produced. They contain ANSI control code sequences which means that we have to take special measures in order to read them. One of the best ways is to use less -fR [filename]