Privileged Command Execution History Reporting

How often were you asked by the management or auditors to show a list of administrative commands that were used on a system.
With a properly (e.g. cusa) configured Solaris 11.3 and prior either already had some script or pricy external tool that filters the audit streams for you or you had to do it manually (auditreduce/praudit) and whatever needs to be done to make it worth show anyone.
With Solaris 11.4 Oracle ships the admhist utilty, which takes all the manual overhead away and adds great options to narrow down the results for a certain date, time, or type of event.

For a better understanding and overview upfront here is the help output from the admhist command:

root@wacken:~# admhist -h
admhist: illegal option -- h
usage:  admhist [-a date-time] [-b date-time] [-d date-time]
         [-t [tags-file:]tag[,tag,...]] [-z zonename] [-v] [audit-trail-file]...
        admhist [-a date-time] [-b date-time] [-d date-time]
         [-t [tags-file:]tag[,tag,...]] [-z zonename] [-v] -R pathname
        Valid date-time formats include:
                today, yesterday
                last week, last month
                last 3 days, last 8 hours

So let’s check for what was going over the last 4 hours for example. The -a option show entries after the giving date-time. In this case (-a “last 4 hours”) everything within the last 4 hours. In case you want every privileged execution before the last 4 hours just -b instead of -a

root@wacken:~# admhist -a "last 4 hours"
2018-02-27 09:59:16.190+01:00 /usr/sbin/zfs zfs help
2018-02-27 10:00:22.954+01:00 /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:00:22.972+01:00 /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:00:23.474+01:00 /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:00:24.736+01:00 /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:00:26.646+01:00 /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:00:27.237+01:00 /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:00:33.124+01:00 /usr/sbin/zpool zpool create tpool /var/tmp/f1 /var/tmp/f2
2018-02-27 10:01:25.822+01:00 /usr/sbin/zpool zpool list
2018-02-27 10:01:37.868+01:00 /usr/sbin/quota
2018-02-27 10:03:07.955+01:00 /usr/sbin/zpool zpool create tpool /var/tmp/f1 /var/tmp/f2
2018-02-27 10:03:17.057+01:00 /usr/sbin/zpool zpool status tpool
2018-02-27 10:03:20.037+01:00 /usr/sbin/zfs zfs
2018-02-27 10:03:22.404+01:00 /usr/sbin/zfs zfs help
2018-02-27 10:03:38.249+01:00 /usr/sbin/zpool zpool upgrade
2018-02-27 10:03:40.886+01:00 /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:03:45.684+01:00 /usr/sbin/zpool zpool upgrade -a
2018-02-27 10:04:02.408+01:00 /usr/sbin/zfs zfs upgrade -v
2018-02-27 10:04:05.613+01:00 /usr/sbin/zfs zfs upgrade
2018-02-27 10:04:11.243+01:00 /usr/sbin/zpool zpool help
2018-02-27 10:04:17.903+01:00 /usr/sbin/zpool zpool status
2018-02-27 10:04:21.769+01:00 /usr/sbin/zpool zpool XXX
2018-02-27 10:04:25.335+01:00 /usr/sbin/zpool zpool XXX tpool
2018-02-27 10:04:31.436+01:00 /usr/sbin/zpool zpool XXX tpool /var/tmp/f2
2018-02-27 10:04:33.208+01:00 /usr/sbin/zpool zpool XXX tpool
2018-02-27 10:04:36.321+01:00 /usr/sbin/zpool zpool status
2018-02-27 10:06:02.968+01:00 /usr/sbin/zpool zpool status
2018-02-27 10:06:23.058+01:00 /usr/sbin/zpool zpool XXX tpool /var/tmp/f2 /var/tmp/f3
2018-02-27 10:06:24.896+01:00 /usr/sbin/zpool zpool status
2018-02-27 10:06:32.197+01:00 /usr/sbin/zpool zpool XXX tpool /var/tmp/f2
2018-02-27 10:06:33.828+01:00 /usr/sbin/zpool zpool status
2018-02-27 10:11:18.879+01:00 /usr/sbin/zoneadm -R / list -cp
2018-02-27 10:11:18.962+01:00 /usr/bin/amd64/pkg /usr/bin/64/python2.7 /usr/bin/pkg info entire

In order to see user and hostname just use the option -v:

root@wacken:~# admhist -v -a "last 4 hours"
2018-02-27 09:59:16.190+01:00 muehle@wacken cwd=/export/home/muehle /usr/sbin/zfs zfs help
2018-02-27 10:00:22.954+01:00 muehle@wacken cwd=/export/home/muehle /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:00:22.972+01:00 muehle@wacken cwd=/export/home/muehle /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:00:23.474+01:00 muehle@wacken cwd=/export/home/muehle /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:00:24.736+01:00 muehle@wacken cwd=/export/home/muehle /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:00:26.646+01:00 muehle@wacken cwd=/export/home/muehle /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:00:27.237+01:00 muehle@wacken cwd=/export/home/muehle /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:00:33.124+01:00 muehle@wacken cwd=/export/home/muehle /usr/sbin/zpool zpool create tpool /var/tmp/f1 /var/tmp/f2
2018-02-27 10:01:25.822+01:00 muehle@wacken cwd=/var/tmp /usr/sbin/zpool zpool list
2018-02-27 10:01:37.868+01:00 muehle@wacken cwd=/root /usr/sbin/quota
2018-02-27 10:03:07.955+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool create tpool /var/tmp/f1 /var/tmp/f2
2018-02-27 10:03:17.057+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool status tpool
2018-02-27 10:03:20.037+01:00 muehle@wacken cwd=/root /usr/sbin/zfs zfs
2018-02-27 10:03:22.404+01:00 muehle@wacken cwd=/root /usr/sbin/zfs zfs help
2018-02-27 10:03:38.249+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool upgrade
2018-02-27 10:03:40.886+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool upgrade -v
2018-02-27 10:03:45.684+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool upgrade -a
2018-02-27 10:04:02.408+01:00 muehle@wacken cwd=/root /usr/sbin/zfs zfs upgrade -v
2018-02-27 10:04:05.613+01:00 muehle@wacken cwd=/root /usr/sbin/zfs zfs upgrade
2018-02-27 10:04:11.243+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool help
2018-02-27 10:04:17.903+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool status
2018-02-27 10:04:21.769+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool XXX
2018-02-27 10:04:25.335+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool XXX tpool
2018-02-27 10:04:31.436+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool XXX tpool /var/tmp/f2
2018-02-27 10:04:33.208+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool XXX tpool
2018-02-27 10:04:36.321+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool status
2018-02-27 10:06:02.968+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool status
2018-02-27 10:06:23.058+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool add tpool /var/tmp/f2 /var/tmp/f3
2018-02-27 10:06:24.896+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool status
2018-02-27 10:06:32.197+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool XXX tpool /var/tmp/f2
2018-02-27 10:06:33.828+01:00 muehle@wacken cwd=/root /usr/sbin/zpool zpool status
2018-02-27 10:11:18.879+01:00 muehle@wacken cwd=/ /usr/sbin/zoneadm -R / list -cp
2018-02-27 10:11:18.962+01:00 muehle@wacken cwd=/root /usr/bin/amd64/pkg /usr/bin/64/python2.7 /usr/bin/pkg info entire

With no further options given it will just list you all the privileged commands executed.

root@wacken:~# admhist
2017-04-05 06:08:41.307+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 06:09:14.591+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 06:32:58.689+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:04:04.313+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:19:13.614+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:25:20.168+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:25:40.142+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:26:52.158+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:27:10.400+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:27:35.560+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:28:03.857+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:28:59.362+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:31:26.702+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:31:29.059+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:32:09.722+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:32:16.210+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:32:18.050+02:00 /usr/bin/amd64/pkg /usr/bin/64/python2.7 /usr/bin/pkg exact-install --accept --be-name s12_b115 entire@5.12-5.12.0.0.0.117 solaris-small-server@5.12-5.12.0.0.0.117
2017-04-05 07:32:18.051+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:37:52.352+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:51:31.862+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:52:11.834+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 07:55:48.995+02:00 /usr/bin/amd64/pkg /usr/bin/64/python2.7 /usr/bin/pkg install docker
2017-04-05 07:55:48.997+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 08:15:30.826+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 08:15:52.467+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 08:23:38.643+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-05 09:11:41.226+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-24 10:09:59.772+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-24 10:10:02.842+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-24 10:10:17.952+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-24 10:10:18.553+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-24 10:17:04.912+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-24 11:25:39.775+02:00 /usr/lib/svcadm pfexec-auth /usr/sbin/svcadm svcadm disable ocm
2017-04-24 11:27:24.889+02:00 /usr/lib/zfs pfexec-auth /usr/sbin/zfs zfs list -r -o name,used,avail,refer,compressratio,quota,reserv,aclmode,aclinherit,compression,atime,dedup,mounted,mountpoint
2017-04-24 11:28:51.554+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-24 11:28:51.640+02:00 /usr/lib/pkg pfexec-auth /usr/bin/pkg pkg install docker
2017-04-24 11:29:26.933+02:00 /usr/lib/zfs pfexec-auth /usr/sbin/zfs zfs list -r -o name,used,avail,refer,compressratio,quota,reserv,aclmode,aclinherit,compression,atime,dedup,mounted,mountpoint
2017-04-24 11:31:15.562+02:00 /usr/sbin/zfs zfs create -o mountpoint=/var/lib/docker rpool/VARSHARE/docker
2017-04-24 11:31:24.490+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
2017-04-24 11:33:00.123+02:00 /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
...

This is a very handy utility if you ask me. Nice and easy to use. Especially since you don’t have to use the exact time and date when you instead pass on “last 2 days”, “last 48 hours”, “last month”, or so.

Maybe something like -u (certain user/uid) would be a nice additional option too.

Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *