Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have some garbage, debug output on my screen. It 'looks' like someone has run a specific command on my tty as there appears '[root]$SPECIFICCOMMAND, but I have been present all the time. Others have remote access to this server via a VPN and the root account.
I know the specific command, it is not listed using 'history' so is there any other way to check whether someone has logged on remotely using the root account!
Secondly, why would this command appear on the server screen, output should be attached to the remote tty right? Any ideas are welcome.
Usual advice is to disable root logon via ssh (you do use ssh right!).
Then enable yourself to
su -
up when you need root access.
Set all root accesses to use sudo eg
sudo su -
sudo does logging.
Or even better, find out what they actually need (surely they don't need every possible thing on the system as root), change root password thus disabling the use of 'su' from them and make them use 'sudo' instead, after having configured 'sudo' for each of them in such a manner that they can only run the specified, really needed commands with it (no shells, su, sudo or anything that grants them root shell..it might take some time thinking but it's worth it, really). Password of root should only be known to one person, the rest should just use sudo. Even that one person who knows root password should use sudo instead of that, and it's not a bad idea to lock root account too, to prevent misusage. Using sudo is surely sufficient; spending some time with it is less wasted time than spending some time with thinking who just executed something stupid on your system as root, if there are 100 people who knew root password and they all say they don't know about it.
EDIT: sudo's logging is a handy feature, but know that if the folks have root access, you can't save the logs on the same machine. Have the logs saved onto another machine that is not accessible for the root folks, only you. This way they can't hide their traces so easily.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.