User Auditing
Marti, Robert
RJM002 at shsu.edu
Thu Sep 23 15:41:53 UTC 2010
I'm a fan of auditing root keystrokes and shipping them off the box - you can see what happens if your server gets compromised or if you have a disgruntled employee by setting up alerts on the log correlation box. Plus it allows a historical view of an event that bash_history doesn't always - especially if the admin doesn't use a shell that has a history. Auditing normal users, however, typically isn't worth it.
Rob Marti
Systems Administrator
Sam Houston State University
936-294-3804 // rob at shsu.edu
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
> Sent: Thursday, September 23, 2010 10:29 AM
> To: General Red Hat Linux discussion list
> Subject: RE: User Auditing
>
> Marti, Robert wrote:
> > I haven't tried them, but do these track executing shell commands from
> > inside vim or other editors? Or other ways of running commands?
> > (write a script, run it, delete the script)
> >
> It also strikes me as a) a great way to create an overwhelming amount of
> data; b) useless - consider the user edits a script, suspends the editing
> session, runs the script, forgrounds the editing session, and undoes
> whatever code they put in. Oh, and c) over-the-top Big Brother; I mean,
> there's oversight, and there's this: if there's this mistrust of the employees,
> then perhaps management should either hire trustworthy employees, or
> only allow trusted employees to work on the systems.
>
> mark, *not* a fan of the idea.
> >
> >> -----Original Message-----
> >> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> >> bounces at redhat.com] On Behalf Of Zbynek Vymazal
> >> Sent: Thursday, September 23, 2010 9:20 AM
> >> To: General Red Hat Linux discussion list
> >> Subject: RE: User Auditing
> >>
> >> Hi Rob,
> >>
> >> I'm logging command history of every user to remote syslog server. It
> >> requires two steps on client side:
> >>
> >> 1) Add following function to /etc/profile:
> >>
> >> function history_to_syslog
> >> {
> >> declare command
> >> command=$(fc -ln -0)
> >> logger -p local7.notice -t bash -i -- $USER : $command } trap
> >> history_to_syslog DEBUG
> >>
> >> 2) Configure local syslog to resend logs to remote syslog
> >> (/etc/syslog-
> >> ng/syslog-ng.conf):
> >>
> >> # Send local messages to central syslog server
> >>
> >> filter f_filter7 { facility(local7); };
> >> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
> >> source(s_sys); filter(f_filter7); destination(d_syslog_server); };
> >>
> >> Best regards,
> >>
> >> Zbynek Vymazal
> >>
> >> -----Original Message-----
> >> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> >> bounces at redhat.com] On Behalf Of Rob DeSanno
> >> Sent: Thursday, September 23, 2010 15:40
> >> To: General Red Hat Linux discussion list
> >> Subject: User Auditing
> >>
> >> This should be an easy question.
> >>
> >> I use Logwatch on all of my RHEL servers and would like for it to
> >> also report on all commands that any user had typed when logged in as
> >> well.
> >> Something along the lines of UID: Command to give me an idea of who
> >> was doing what at any given period of time.
> >>
> >> I tried using snoopy but that gave me much more than I was looking for.
> >> I'm
> >> now playing around with psacct and logger but was curious to know
> >> what everyone else out there uses to monitor user activity besides
> >> looking into everyone history file.
> >>
> >> Thanks in advance!
> >> ~Rob
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-
> request at redhat.com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >>
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-
> request at redhat.com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list