[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: User Auditing



Auditing keystrokes will not always reveal the whole picture and is VERY intrusive for people. How are you going to correlate (and prove) that when you type something like http://www.abadsite.com , you are typing it on the descriptor of the web browser and not a text word processor. Too much noise for the data and too much invasion to privacy, never saw the point really apart from folk that due keystroke based user authentication, which is very error prone and it logs only some keystrokes to work, not everything.

GM

On 09/23/2010 05:41 PM, Marti, Robert wrote:
I'm a fan of auditing root keystrokes and shipping them off the box - you can see what happens if your server gets compromised or if you have a disgruntled employee by setting up alerts on the log correlation box.  Plus it allows a historical view of an event that bash_history doesn't always - especially if the admin doesn't use a shell that has a history.  Auditing normal users, however, typically isn't worth it.

Rob Marti
Systems Administrator
Sam Houston State University
936-294-3804 // rob shsu edu


-----Original Message-----
From: redhat-list-bounces redhat com [mailto:redhat-list-
bounces redhat com] On Behalf Of m roth 5-cent us
Sent: Thursday, September 23, 2010 10:29 AM
To: General Red Hat Linux discussion list
Subject: RE: User Auditing

Marti, Robert wrote:
I haven't tried them, but do these track executing shell commands from
inside vim or other editors?  Or other ways of running commands?
(write a script, run it, delete the script)

It also strikes me as a) a great way to create an overwhelming amount of
data; b) useless - consider the user edits a script, suspends the editing
session, runs the script, forgrounds the editing session, and undoes
whatever code they put in. Oh, and c) over-the-top Big Brother; I mean,
there's oversight, and there's this: if there's this mistrust of the employees,
then perhaps management should either hire trustworthy employees, or
only allow trusted employees to work on the systems.

           mark, *not* a fan of the idea.
-----Original Message-----
From: redhat-list-bounces redhat com [mailto:redhat-list-
bounces redhat com] On Behalf Of Zbynek Vymazal
Sent: Thursday, September 23, 2010 9:20 AM
To: General Red Hat Linux discussion list
Subject: RE: User Auditing

Hi Rob,

I'm logging command history of every user to remote syslog server. It
requires two steps on client side:

1) Add following function to /etc/profile:

function history_to_syslog
{
    declare command
    command=$(fc -ln -0)
    logger -p local7.notice -t bash -i -- $USER : $command } trap
history_to_syslog DEBUG

2) Configure local syslog to resend logs to remote syslog
(/etc/syslog-
ng/syslog-ng.conf):

# Send local messages to central syslog server

filter f_filter7   { facility(local7); };
destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
source(s_sys); filter(f_filter7); destination(d_syslog_server); };

Best regards,

Zbynek Vymazal

-----Original Message-----
From: redhat-list-bounces redhat com [mailto:redhat-list-
bounces redhat com] On Behalf Of Rob DeSanno
Sent: Thursday, September 23, 2010 15:40
To: General Red Hat Linux discussion list
Subject: User Auditing

This should be an easy question.

I use Logwatch on all of my RHEL servers and would like for it to
also report on all commands that any user had typed when logged in as
well.
Something along the lines of UID: Command to give me an idea of who
was doing what at any given period of time.

I tried using snoopy but that gave me much more than I was looking for.
I'm
now playing around with psacct and logger but was curious to know
what everyone else out there uses to monitor user activity besides
looking into everyone history file.

Thanks in advance!
~Rob
--
redhat-list mailing list
unsubscribe mailto:redhat-list-
request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-
request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


--
--
George Magklaras
Senior Systems Engineer/IT Manager
Biotek Center, University of Oslo
EMBnet TMPC Chair

http://folk.uio.no/georgios

Tel: +47 22840535





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]