User Auditing

[Georgios Magklaras]

  On 09/23/2010 03:40 PM, Rob DeSanno wrote:
> This should be an easy question.
>
> I use Logwatch on all of my RHEL servers and would like for it to also
> report on all commands that any user had typed when logged in as well.
> Something along the lines of UID: Command to give me an idea of who was
> doing what at any given period of time.
>
> I tried using snoopy but that gave me much more than I was looking for. I'm
> now playing around with psacct and logger but was curious to know what
> everyone else out there uses to monitor user activity besides looking into
> everyone history file.
>
> Thanks in advance!
> ~Rob
You might like to take a look at LUARM: http://luarm.sourceforge.net/

It is a new project I am heading and the idea is to target mainly what 
the users are doing at file, network endpoint and process execution 
level. As long as you have a good MySQL box and you are willing to 
install Perl DBI/ DBD MySQL, you should get what you want.

A good presentation of what the system is supposed to do and the context 
is here:
http://folk.uio.no/georgios/other/Dagstuhl2010.pdf

(Documentation is under way)

Snoopy is good, but it has an inherent library dependency on the user 
environment that I do not like. Psacct can introduce substantial 
overhead on a busy server. Give LUARM a go and then let me know what you 
think and/or issues you might face in the process of deploying it.

-- 
--
George Magklaras
Senior Systems Engineer/IT Manager
Biotek Center, University of Oslo
EMBnet TMPC Chair

http://folk.uio.no/georgios

Tel: +47 22840535