[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: User Auditing



Not only that, but you could also obfuscate the script. One user I dealt with that attempted to evade detection perlcc-ed system call wrapped commands into a binary file. Relying on the shell functionality for these kinds of things is not wise (IMHO) to get reliable data about who is doing what. Zbynek's recipe is great, simple, but it will not really catch easily folks that know how to cover their tracks.

GM

On 09/23/2010 04:29 PM, Marti, Robert wrote:
I haven't tried them, but do these track executing shell commands from inside vim or other editors?  Or other ways of running commands? (write a script, run it, delete the script)

Rob Marti

-----Original Message-----
From: redhat-list-bounces redhat com [mailto:redhat-list-
bounces redhat com] On Behalf Of Zbynek Vymazal
Sent: Thursday, September 23, 2010 9:20 AM
To: General Red Hat Linux discussion list
Subject: RE: User Auditing

Hi Rob,

I'm logging command history of every user to remote syslog server. It
requires two steps on client side:

1) Add following function to /etc/profile:

function history_to_syslog
{
    declare command
    command=$(fc -ln -0)
    logger -p local7.notice -t bash -i -- $USER : $command } trap
history_to_syslog DEBUG

2) Configure local syslog to resend logs to remote syslog (/etc/syslog-
ng/syslog-ng.conf):

# Send local messages to central syslog server

filter f_filter7   { facility(local7); };
destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log { source(s_sys);
filter(f_filter7); destination(d_syslog_server); };

Best regards,

Zbynek Vymazal

-----Original Message-----
From: redhat-list-bounces redhat com [mailto:redhat-list-
bounces redhat com] On Behalf Of Rob DeSanno
Sent: Thursday, September 23, 2010 15:40
To: General Red Hat Linux discussion list
Subject: User Auditing

This should be an easy question.

I use Logwatch on all of my RHEL servers and would like for it to also report
on all commands that any user had typed when logged in as well.
Something along the lines of UID: Command to give me an idea of who was
doing what at any given period of time.

I tried using snoopy but that gave me much more than I was looking for. I'm
now playing around with psacct and logger but was curious to know what
everyone else out there uses to monitor user activity besides looking into
everyone history file.

Thanks in advance!
~Rob
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


--
--
George Magklaras
Senior Systems Engineer/IT Manager
Biotek Center, University of Oslo
EMBnet TMPC Chair

http://folk.uio.no/georgios

Tel: +47 22840535





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]