User Auditing

Rob DeSanno rdesanno at gmail.com
Thu Sep 23 15:28:40 UTC 2010 

Thanks all for the good suggestions. I'm giving Zbynek's solution a try
right now and understand the limitations  but it's better than what I have
at the moment.

On Thu, Sep 23, 2010 at 10:41 AM, Georgios Magklaras <georgios at biotek.uio.no
> wrote:

>  Not only that, but you could also obfuscate the script. One user I dealt
> with that attempted to evade detection perlcc-ed system call wrapped
> commands into a binary file. Relying on the shell functionality for these
> kinds of things is not wise (IMHO) to get reliable data about who is doing
> what. Zbynek's recipe is great, simple, but it will not really catch easily
> folks that know how to cover their tracks.
>
> GM
>
>
> On 09/23/2010 04:29 PM, Marti, Robert wrote:
>
>> I haven't tried them, but do these track executing shell commands from
>> inside vim or other editors?  Or other ways of running commands? (write a
>> script, run it, delete the script)
>>
>> Rob Marti
>>
>>  -----Original Message-----
>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>>> bounces at redhat.com] On Behalf Of Zbynek Vymazal
>>> Sent: Thursday, September 23, 2010 9:20 AM
>>> To: General Red Hat Linux discussion list
>>> Subject: RE: User Auditing
>>>
>>> Hi Rob,
>>>
>>> I'm logging command history of every user to remote syslog server. It
>>> requires two steps on client side:
>>>
>>> 1) Add following function to /etc/profile:
>>>
>>> function history_to_syslog
>>> {
>>>    declare command
>>>    command=$(fc -ln -0)
>>>    logger -p local7.notice -t bash -i -- $USER : $command } trap
>>> history_to_syslog DEBUG
>>>
>>> 2) Configure local syslog to resend logs to remote syslog (/etc/syslog-
>>> ng/syslog-ng.conf):
>>>
>>> # Send local messages to central syslog server
>>>
>>> filter f_filter7   { facility(local7); };
>>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
>>> source(s_sys);
>>> filter(f_filter7); destination(d_syslog_server); };
>>>
>>> Best regards,
>>>
>>> Zbynek Vymazal
>>>
>>> -----Original Message-----
>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>>> bounces at redhat.com] On Behalf Of Rob DeSanno
>>> Sent: Thursday, September 23, 2010 15:40
>>> To: General Red Hat Linux discussion list
>>> Subject: User Auditing
>>>
>>> This should be an easy question.
>>>
>>> I use Logwatch on all of my RHEL servers and would like for it to also
>>> report
>>> on all commands that any user had typed when logged in as well.
>>> Something along the lines of UID: Command to give me an idea of who was
>>> doing what at any given period of time.
>>>
>>> I tried using snoopy but that gave me much more than I was looking for.
>>> I'm
>>> now playing around with psacct and logger but was curious to know what
>>> everyone else out there uses to monitor user activity besides looking
>>> into
>>> everyone history file.
>>>
>>> Thanks in advance!
>>> ~Rob
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>
>
> --
> --
> George Magklaras
> Senior Systems Engineer/IT Manager
> Biotek Center, University of Oslo
> EMBnet TMPC Chair
>
> http://folk.uio.no/georgios
>
> Tel: +47 22840535
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list