Command logging after 'su'

Marti, Robert RJM002 at shsu.edu
Wed Sep 22 16:27:51 UTC 2010 

Bash history is editable so effectively useless for auditing. On top of that, by default, even if they don't unset the histfile or use one of the many other ways to clear the entries, only the last exited session actually writes to the histfile. It also doesn't catch what happens if a user opens a shell through another method (ie sudo vim then open a shell). 

pam auditing will catch all of that as long as audit.log is being shipped off the server. 

Sent from my iPhone

On Sep 22, 2010, at 11:00 AM, "Elliott, Andrew" <Andrew.Elliott at istat.ca> wrote:

> ...Should be in the .history (bash) file, no?
> 
> You should try to get them to use 'sudo'.  That will capture all the commands in the users' .bash_history rather than root's...
> 
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com] On Behalf Of Marti, Robert
> Sent: Wednesday, September 22, 2010 11:41 AM
> To: przemolicc at poczta.fm; General Red HatLinuxdiscussion list
> Subject: Re: Command logging after 'su'
> 
> pam can be configured to log every key a user presses via the audit daemon. This, however, is useless unless you ship logging off the box. 
> 
> Sent from my iPhone
> 
> On Sep 22, 2010, at 10:36 AM, "przemolicc at poczta.fm" <przemolicc at poczta.fm> wrote:
> 
>> Hi,
>> 
>> we have user 'u1' which can do 'su - root'.
>> Is it possible to log all commands run by this user:
>> - during id=u1
>> - after su to 'root' ?
>> 
>> Regards
>> P.
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> ------------------------------------------------------
>> Tanie mieszkania lub pokoje do wynajęcia dla studentów! 
>> http://linkint.pl/f27f9
>> 
>> -- 
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list