User Auditing

Georgios Magklaras georgios at biotek.uio.no
Thu Sep 23 14:41:43 UTC 2010


  Not only that, but you could also obfuscate the script. One user I 
dealt with that attempted to evade detection perlcc-ed system call 
wrapped commands into a binary file. Relying on the shell functionality 
for these kinds of things is not wise (IMHO) to get reliable data about 
who is doing what. Zbynek's recipe is great, simple, but it will not 
really catch easily folks that know how to cover their tracks.

GM

On 09/23/2010 04:29 PM, Marti, Robert wrote:
> I haven't tried them, but do these track executing shell commands from inside vim or other editors?  Or other ways of running commands? (write a script, run it, delete the script)
>
> Rob Marti
>
>> -----Original Message-----
>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>> bounces at redhat.com] On Behalf Of Zbynek Vymazal
>> Sent: Thursday, September 23, 2010 9:20 AM
>> To: General Red Hat Linux discussion list
>> Subject: RE: User Auditing
>>
>> Hi Rob,
>>
>> I'm logging command history of every user to remote syslog server. It
>> requires two steps on client side:
>>
>> 1) Add following function to /etc/profile:
>>
>> function history_to_syslog
>> {
>>     declare command
>>     command=$(fc -ln -0)
>>     logger -p local7.notice -t bash -i -- $USER : $command } trap
>> history_to_syslog DEBUG
>>
>> 2) Configure local syslog to resend logs to remote syslog (/etc/syslog-
>> ng/syslog-ng.conf):
>>
>> # Send local messages to central syslog server
>>
>> filter f_filter7   { facility(local7); };
>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log { source(s_sys);
>> filter(f_filter7); destination(d_syslog_server); };
>>
>> Best regards,
>>
>> Zbynek Vymazal
>>
>> -----Original Message-----
>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>> bounces at redhat.com] On Behalf Of Rob DeSanno
>> Sent: Thursday, September 23, 2010 15:40
>> To: General Red Hat Linux discussion list
>> Subject: User Auditing
>>
>> This should be an easy question.
>>
>> I use Logwatch on all of my RHEL servers and would like for it to also report
>> on all commands that any user had typed when logged in as well.
>> Something along the lines of UID: Command to give me an idea of who was
>> doing what at any given period of time.
>>
>> I tried using snoopy but that gave me much more than I was looking for. I'm
>> now playing around with psacct and logger but was curious to know what
>> everyone else out there uses to monitor user activity besides looking into
>> everyone history file.
>>
>> Thanks in advance!
>> ~Rob
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list


-- 
--
George Magklaras
Senior Systems Engineer/IT Manager
Biotek Center, University of Oslo
EMBnet TMPC Chair

http://folk.uio.no/georgios

Tel: +47 22840535






More information about the redhat-list mailing list