[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Command logging after 'su'



Bash history is editable so effectively useless for auditing. On top of that, by default, even if they don't unset the histfile or use one of the many other ways to clear the entries, only the last exited session actually writes to the histfile. It also doesn't catch what happens if a user opens a shell through another method (ie sudo vim then open a shell). 

pam auditing will catch all of that as long as audit.log is being shipped off the server. 

Sent from my iPhone

On Sep 22, 2010, at 11:00 AM, "Elliott, Andrew" <Andrew Elliott istat ca> wrote:

> ...Should be in the .history (bash) file, no?
> 
> You should try to get them to use 'sudo'.  That will capture all the commands in the users' .bash_history rather than root's...
> 
> -----Original Message-----
> From: redhat-list-bounces redhat com [mailto:redhat-list-bounces redhat com] On Behalf Of Marti, Robert
> Sent: Wednesday, September 22, 2010 11:41 AM
> To: przemolicc poczta fm; General Red HatLinuxdiscussion list
> Subject: Re: Command logging after 'su'
> 
> pam can be configured to log every key a user presses via the audit daemon. This, however, is useless unless you ship logging off the box. 
> 
> Sent from my iPhone
> 
> On Sep 22, 2010, at 10:36 AM, "przemolicc poczta fm" <przemolicc poczta fm> wrote:
> 
>> Hi,
>> 
>> we have user 'u1' which can do 'su - root'.
>> Is it possible to log all commands run by this user:
>> - during id=u1
>> - after su to 'root' ?
>> 
>> Regards
>> P.
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> ------------------------------------------------------
>> Tanie mieszkania lub pokoje do wynajęcia dla studentów! 
>> http://linkint.pl/f27f9
>> 
>> -- 
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]