User Auditing

Georgios Magklaras georgios at biotek.uio.no
Thu Sep 23 20:04:58 UTC 2010 

  On 09/23/2010 06:43 PM, Marti, Robert wrote:
> Why is there a browser (text or otherwise) installed on the server?
This was an example. Servers do not have web browsers? Hah???? I do 
occassionally use an x-session to fire up things on the server, as I do 
have servlet programs that obey only localhost and write web content as 
non root users, so having a web browser on the server does not hurt 
really and I do know of many servers like that.

> And the pam bit that logs keystrokes to auditd does log every keypress.
> And it logs the program you were typing in.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=483086 is the functionality I'm describing.
>
> Like I said - I only use it to log for root.  People should not be considering actions done as root to be private
What I said refers to the whole picture. What you really want to do is 
to correlate events that occur. Logging keystrokes gives you the 
keyboard stream, but does not always help you to correlate what you type 
and what happens at the OS layer. As for privacy, there are reasons that 
I can tell you it's a bad idea to do it. For example, I have found that 
my sysadmins type occasionally sensitive (as opposed to private) info, 
such as rhn reg keys or ssh passwords. These do not really need to be 
inside a text log file in plain text.

Cheers,
GM

> Rob Marti
>
>> -----Original Message-----
>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>> bounces at redhat.com] On Behalf Of Georgios Magklaras
>> Sent: Thursday, September 23, 2010 11:12 AM
>> To: General Red Hat Linux discussion list
>> Subject: Re: User Auditing
>>
>>    Auditing keystrokes will not always reveal the whole picture and is VERY
>> intrusive for people. How are you going to correlate (and prove) that when
>> you type something like http://www.abadsite.com , you are typing it on the
>> descriptor of the web browser and not a text word processor. Too much
>> noise for the data and too much invasion to privacy, never saw the point
>> really apart from folk that due keystroke based user authentication, which is
>> very error prone and it logs only some keystrokes to work, not everything.
>>
>> GM
>>
>> On 09/23/2010 05:41 PM, Marti, Robert wrote:
>>> I'm a fan of auditing root keystrokes and shipping them off the box - you
>> can see what happens if your server gets compromised or if you have a
>> disgruntled employee by setting up alerts on the log correlation box.  Plus it
>> allows a historical view of an event that bash_history doesn't always -
>> especially if the admin doesn't use a shell that has a history.  Auditing normal
>> users, however, typically isn't worth it.
>>> Rob Marti
>>> Systems Administrator
>>> Sam Houston State University
>>> 936-294-3804 // rob at shsu.edu
>>>
>>>
>>>> -----Original Message-----
>>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>>>> bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
>>>> Sent: Thursday, September 23, 2010 10:29 AM
>>>> To: General Red Hat Linux discussion list
>>>> Subject: RE: User Auditing
>>>>
>>>> Marti, Robert wrote:
>>>>> I haven't tried them, but do these track executing shell commands
>>>>> from inside vim or other editors?  Or other ways of running commands?
>>>>> (write a script, run it, delete the script)
>>>>>
>>>> It also strikes me as a) a great way to create an overwhelming amount
>>>> of data; b) useless - consider the user edits a script, suspends the
>>>> editing session, runs the script, forgrounds the editing session, and
>>>> undoes whatever code they put in. Oh, and c) over-the-top Big
>>>> Brother; I mean, there's oversight, and there's this: if there's this
>>>> mistrust of the employees, then perhaps management should either hire
>>>> trustworthy employees, or only allow trusted employees to work on the
>> systems.
>>>>             mark, *not* a fan of the idea.
>>>>>> -----Original Message-----
>>>>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>>>>>> bounces at redhat.com] On Behalf Of Zbynek Vymazal
>>>>>> Sent: Thursday, September 23, 2010 9:20 AM
>>>>>> To: General Red Hat Linux discussion list
>>>>>> Subject: RE: User Auditing
>>>>>>
>>>>>> Hi Rob,
>>>>>>
>>>>>> I'm logging command history of every user to remote syslog server.
>>>>>> It requires two steps on client side:
>>>>>>
>>>>>> 1) Add following function to /etc/profile:
>>>>>>
>>>>>> function history_to_syslog
>>>>>> {
>>>>>>      declare command
>>>>>>      command=$(fc -ln -0)
>>>>>>      logger -p local7.notice -t bash -i -- $USER : $command } trap
>>>>>> history_to_syslog DEBUG
>>>>>>
>>>>>> 2) Configure local syslog to resend logs to remote syslog
>>>>>> (/etc/syslog-
>>>>>> ng/syslog-ng.conf):
>>>>>>
>>>>>> # Send local messages to central syslog server
>>>>>>
>>>>>> filter f_filter7   { facility(local7); };
>>>>>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
>>>>>> source(s_sys); filter(f_filter7); destination(d_syslog_server); };
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Zbynek Vymazal
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>>>>>> bounces at redhat.com] On Behalf Of Rob DeSanno
>>>>>> Sent: Thursday, September 23, 2010 15:40
>>>>>> To: General Red Hat Linux discussion list
>>>>>> Subject: User Auditing
>>>>>>
>>>>>> This should be an easy question.
>>>>>>
>>>>>> I use Logwatch on all of my RHEL servers and would like for it to
>>>>>> also report on all commands that any user had typed when logged in
>>>>>> as well.
>>>>>> Something along the lines of UID: Command to give me an idea of who
>>>>>> was doing what at any given period of time.
>>>>>>
>>>>>> I tried using snoopy but that gave me much more than I was looking
>> for.
>>>>>> I'm
>>>>>> now playing around with psacct and logger but was curious to know
>>>>>> what everyone else out there uses to monitor user activity besides
>>>>>> looking into everyone history file.
>>>>>>
>>>>>> Thanks in advance!
>>>>>> ~Rob
>>>>>> --
>>>>>> redhat-list mailing list
>>>>>> unsubscribe mailto:redhat-list-
>>>> request at redhat.com?subject=unsubscribe
>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>>
>>>>>> --
>>>>>> redhat-list mailing list
>>>>>> unsubscribe mailto:redhat-list-
>>>> request at redhat.com?subject=unsubscribe
>>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>> --
>>>>> redhat-list mailing list
>>>>> unsubscribe
>>>>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>>>
>>>> --
>>>> redhat-list mailing list
>>>> unsubscribe mailto:redhat-list-
>> request at redhat.com?subject=unsubscribe
>>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
>> --
>> --
>> George Magklaras
>> Senior Systems Engineer/IT Manager
>> Biotek Center, University of Oslo
>> EMBnet TMPC Chair
>>
>> http://folk.uio.no/georgios
>>
>> Tel: +47 22840535
>>
>>
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list


-- 
--
George Magklaras
Senior Systems Engineer/IT Manager
Biotek Center, University of Oslo
EMBnet TMPC Chair

http://folk.uio.no/georgios

Tel: +47 22840535

More information about the redhat-list mailing list