User Auditing

Rob DeSanno rdesanno at gmail.com
Thu Sep 23 18:07:07 UTC 2010 

Let me tell you why I want this for the sake of this discussion:

We have servers in our environment by which multiple people (inside and out)
can issue commands as either themselves or as root (under sudo of course).
While I would prefer that everything goes through me for changes, that is
not practical here. I want to be informed on what these people/vendors are
doing to my systems at all times and would rather know than to not know, if
that makes sense. It's not 100% about security either but to give me a sense
of what is happening in the environment that I am supporting.

On Thu, Sep 23, 2010 at 12:43 PM, Marti, Robert <RJM002 at shsu.edu> wrote:

> Why is there a browser (text or otherwise) installed on the server?
> And the pam bit that logs keystrokes to auditd does log every keypress.
> And it logs the program you were typing in.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=483086 is the functionality
> I'm describing.
>
> Like I said - I only use it to log for root.  People should not be
> considering actions done as root to be private.
>
> Rob Marti
>
> > -----Original Message-----
> > From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> > bounces at redhat.com] On Behalf Of Georgios Magklaras
> > Sent: Thursday, September 23, 2010 11:12 AM
> > To: General Red Hat Linux discussion list
> > Subject: Re: User Auditing
> >
> >   Auditing keystrokes will not always reveal the whole picture and is
> VERY
> > intrusive for people. How are you going to correlate (and prove) that
> when
> > you type something like http://www.abadsite.com , you are typing it on
> the
> > descriptor of the web browser and not a text word processor. Too much
> > noise for the data and too much invasion to privacy, never saw the point
> > really apart from folk that due keystroke based user authentication,
> which is
> > very error prone and it logs only some keystrokes to work, not
> everything.
> >
> > GM
> >
> > On 09/23/2010 05:41 PM, Marti, Robert wrote:
> > > I'm a fan of auditing root keystrokes and shipping them off the box -
> you
> > can see what happens if your server gets compromised or if you have a
> > disgruntled employee by setting up alerts on the log correlation box.
>  Plus it
> > allows a historical view of an event that bash_history doesn't always -
> > especially if the admin doesn't use a shell that has a history.  Auditing
> normal
> > users, however, typically isn't worth it.
> > >
> > > Rob Marti
> > > Systems Administrator
> > > Sam Houston State University
> > > 936-294-3804 // rob at shsu.edu
> > >
> > >
> > >> -----Original Message-----
> > >> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> > >> bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
> > >> Sent: Thursday, September 23, 2010 10:29 AM
> > >> To: General Red Hat Linux discussion list
> > >> Subject: RE: User Auditing
> > >>
> > >> Marti, Robert wrote:
> > >>> I haven't tried them, but do these track executing shell commands
> > >>> from inside vim or other editors?  Or other ways of running commands?
> > >>> (write a script, run it, delete the script)
> > >>>
> > >> It also strikes me as a) a great way to create an overwhelming amount
> > >> of data; b) useless - consider the user edits a script, suspends the
> > >> editing session, runs the script, forgrounds the editing session, and
> > >> undoes whatever code they put in. Oh, and c) over-the-top Big
> > >> Brother; I mean, there's oversight, and there's this: if there's this
> > >> mistrust of the employees, then perhaps management should either hire
> > >> trustworthy employees, or only allow trusted employees to work on the
> > systems.
> > >>
> > >>            mark, *not* a fan of the idea.
> > >>>> -----Original Message-----
> > >>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> > >>>> bounces at redhat.com] On Behalf Of Zbynek Vymazal
> > >>>> Sent: Thursday, September 23, 2010 9:20 AM
> > >>>> To: General Red Hat Linux discussion list
> > >>>> Subject: RE: User Auditing
> > >>>>
> > >>>> Hi Rob,
> > >>>>
> > >>>> I'm logging command history of every user to remote syslog server.
> > >>>> It requires two steps on client side:
> > >>>>
> > >>>> 1) Add following function to /etc/profile:
> > >>>>
> > >>>> function history_to_syslog
> > >>>> {
> > >>>>     declare command
> > >>>>     command=$(fc -ln -0)
> > >>>>     logger -p local7.notice -t bash -i -- $USER : $command } trap
> > >>>> history_to_syslog DEBUG
> > >>>>
> > >>>> 2) Configure local syslog to resend logs to remote syslog
> > >>>> (/etc/syslog-
> > >>>> ng/syslog-ng.conf):
> > >>>>
> > >>>> # Send local messages to central syslog server
> > >>>>
> > >>>> filter f_filter7   { facility(local7); };
> > >>>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
> > >>>> source(s_sys); filter(f_filter7); destination(d_syslog_server); };
> > >>>>
> > >>>> Best regards,
> > >>>>
> > >>>> Zbynek Vymazal
> > >>>>
> > >>>> -----Original Message-----
> > >>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> > >>>> bounces at redhat.com] On Behalf Of Rob DeSanno
> > >>>> Sent: Thursday, September 23, 2010 15:40
> > >>>> To: General Red Hat Linux discussion list
> > >>>> Subject: User Auditing
> > >>>>
> > >>>> This should be an easy question.
> > >>>>
> > >>>> I use Logwatch on all of my RHEL servers and would like for it to
> > >>>> also report on all commands that any user had typed when logged in
> > >>>> as well.
> > >>>> Something along the lines of UID: Command to give me an idea of who
> > >>>> was doing what at any given period of time.
> > >>>>
> > >>>> I tried using snoopy but that gave me much more than I was looking
> > for.
> > >>>> I'm
> > >>>> now playing around with psacct and logger but was curious to know
> > >>>> what everyone else out there uses to monitor user activity besides
> > >>>> looking into everyone history file.
> > >>>>
> > >>>> Thanks in advance!
> > >>>> ~Rob
> > >>>> --
> > >>>> redhat-list mailing list
> > >>>> unsubscribe mailto:redhat-list-
> > >> request at redhat.com?subject=unsubscribe
> > >>>> https://www.redhat.com/mailman/listinfo/redhat-list
> > >>>>
> > >>>> --
> > >>>> redhat-list mailing list
> > >>>> unsubscribe mailto:redhat-list-
> > >> request at redhat.com?subject=unsubscribe
> > >>>> https://www.redhat.com/mailman/listinfo/redhat-list
> > >>> --
> > >>> redhat-list mailing list
> > >>> unsubscribe
> > >>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > >>> https://www.redhat.com/mailman/listinfo/redhat-list
> > >>>
> > >>
> > >> --
> > >> redhat-list mailing list
> > >> unsubscribe mailto:redhat-list-
> > request at redhat.com?subject=unsubscribe
> > >> https://www.redhat.com/mailman/listinfo/redhat-list
> >
> >
> > --
> > --
> > George Magklaras
> > Senior Systems Engineer/IT Manager
> > Biotek Center, University of Oslo
> > EMBnet TMPC Chair
> >
> > http://folk.uio.no/georgios
> >
> > Tel: +47 22840535
> >
> >
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list