User Auditing

Thu Sep 23 20:45:42 UTC 2010

Rob Marti

> 
>   On 09/23/2010 06:43 PM, Marti, Robert wrote:
> > Why is there a browser (text or otherwise) installed on the server?
> This was an example. Servers do not have web browsers? Hah???? I do
> occassionally use an x-session to fire up things on the server, as I do have
> servlet programs that obey only localhost and write web content as non root
> users, so having a web browser on the server does not hurt really and I do
> know of many servers like that.
>

I X11 forward everything that needs it, but having a browser installed is just a bad idea, in my opinion.  I try not to do it ever.  I do, unfortunately, have some boxes that have one installed for various reasons, that I'm in the process of getting removed.

> > And the pam bit that logs keystrokes to auditd does log every keypress.
> > And it logs the program you were typing in.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=483086 is the functionality
> I'm describing.
> >
> > Like I said - I only use it to log for root.  People should not be
> > considering actions done as root to be private
> What I said refers to the whole picture. What you really want to do is to
> correlate events that occur. Logging keystrokes gives you the keyboard
> stream, but does not always help you to correlate what you type and what
> happens at the OS layer. As for privacy, there are reasons that I can tell you
> it's a bad idea to do it. For example, I have found that my sysadmins type
> occasionally sensitive (as opposed to private) info, such as rhn reg keys or ssh
> passwords. These do not really need to be inside a text log file in plain text.
> 

Right - you're correlating events.  You're correlating that root typed vim /etc/sysconfig/iptables, change a rule from ACCEPT to DROP, ran service iptables restart, and the webserver stopped working.  Using that and /var/log/secure (you are shipping that off too, right?) you can figure out who was logged in, and who elevated to root.  

Keylogging gets you more information than you want at times, that's true.  But anything else leaves you open to other ways of running commands that won't be tracked.  Have fun correlating those.