[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: User Auditing



I'm a fan of auditing root keystrokes and shipping them off the box - you can see what happens if your server gets compromised or if you have a disgruntled employee by setting up alerts on the log correlation box.  Plus it allows a historical view of an event that bash_history doesn't always - especially if the admin doesn't use a shell that has a history.  Auditing normal users, however, typically isn't worth it.

Rob Marti
Systems Administrator
Sam Houston State University
936-294-3804 // rob shsu edu


> -----Original Message-----
> From: redhat-list-bounces redhat com [mailto:redhat-list-
> bounces redhat com] On Behalf Of m roth 5-cent us
> Sent: Thursday, September 23, 2010 10:29 AM
> To: General Red Hat Linux discussion list
> Subject: RE: User Auditing
> 
> Marti, Robert wrote:
> > I haven't tried them, but do these track executing shell commands from
> > inside vim or other editors?  Or other ways of running commands?
> > (write a script, run it, delete the script)
> >
> It also strikes me as a) a great way to create an overwhelming amount of
> data; b) useless - consider the user edits a script, suspends the editing
> session, runs the script, forgrounds the editing session, and undoes
> whatever code they put in. Oh, and c) over-the-top Big Brother; I mean,
> there's oversight, and there's this: if there's this mistrust of the employees,
> then perhaps management should either hire trustworthy employees, or
> only allow trusted employees to work on the systems.
> 
>           mark, *not* a fan of the idea.
> >
> >> -----Original Message-----
> >> From: redhat-list-bounces redhat com [mailto:redhat-list-
> >> bounces redhat com] On Behalf Of Zbynek Vymazal
> >> Sent: Thursday, September 23, 2010 9:20 AM
> >> To: General Red Hat Linux discussion list
> >> Subject: RE: User Auditing
> >>
> >> Hi Rob,
> >>
> >> I'm logging command history of every user to remote syslog server. It
> >> requires two steps on client side:
> >>
> >> 1) Add following function to /etc/profile:
> >>
> >> function history_to_syslog
> >> {
> >>    declare command
> >>    command=$(fc -ln -0)
> >>    logger -p local7.notice -t bash -i -- $USER : $command } trap
> >> history_to_syslog DEBUG
> >>
> >> 2) Configure local syslog to resend logs to remote syslog
> >> (/etc/syslog-
> >> ng/syslog-ng.conf):
> >>
> >> # Send local messages to central syslog server
> >>
> >> filter f_filter7   { facility(local7); };
> >> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
> >> source(s_sys); filter(f_filter7); destination(d_syslog_server); };
> >>
> >> Best regards,
> >>
> >> Zbynek Vymazal
> >>
> >> -----Original Message-----
> >> From: redhat-list-bounces redhat com [mailto:redhat-list-
> >> bounces redhat com] On Behalf Of Rob DeSanno
> >> Sent: Thursday, September 23, 2010 15:40
> >> To: General Red Hat Linux discussion list
> >> Subject: User Auditing
> >>
> >> This should be an easy question.
> >>
> >> I use Logwatch on all of my RHEL servers and would like for it to
> >> also report on all commands that any user had typed when logged in as
> >> well.
> >> Something along the lines of UID: Command to give me an idea of who
> >> was doing what at any given period of time.
> >>
> >> I tried using snoopy but that gave me much more than I was looking for.
> >> I'm
> >> now playing around with psacct and logger but was curious to know
> >> what everyone else out there uses to monitor user activity besides
> >> looking into everyone history file.
> >>
> >> Thanks in advance!
> >> ~Rob
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-
> request redhat com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >>
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-
> request redhat com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> 
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]