User Auditing

Marti, Robert RJM002 at shsu.edu
Thu Sep 23 18:37:08 UTC 2010


Right, which is exactly what we use it for.  Red Hat supported and everything.

Rob Marti

> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Rob DeSanno
> Sent: Thursday, September 23, 2010 1:07 PM
> To: General Red Hat Linux discussion list
> Subject: Re: User Auditing
> 
> Let me tell you why I want this for the sake of this discussion:
> 
> We have servers in our environment by which multiple people (inside and
> out) can issue commands as either themselves or as root (under sudo of
> course).
> While I would prefer that everything goes through me for changes, that is
> not practical here. I want to be informed on what these people/vendors are
> doing to my systems at all times and would rather know than to not know, if
> that makes sense. It's not 100% about security either but to give me a sense
> of what is happening in the environment that I am supporting.
> 
> On Thu, Sep 23, 2010 at 12:43 PM, Marti, Robert <RJM002 at shsu.edu> wrote:
> 
> > Why is there a browser (text or otherwise) installed on the server?
> > And the pam bit that logs keystrokes to auditd does log every keypress.
> > And it logs the program you were typing in.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=483086 is the
> > functionality I'm describing.
> >
> > Like I said - I only use it to log for root.  People should not be
> > considering actions done as root to be private.
> >
> > Rob Marti
> >
> > > -----Original Message-----
> > > From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> > > bounces at redhat.com] On Behalf Of Georgios Magklaras
> > > Sent: Thursday, September 23, 2010 11:12 AM
> > > To: General Red Hat Linux discussion list
> > > Subject: Re: User Auditing
> > >
> > >   Auditing keystrokes will not always reveal the whole picture and
> > > is
> > VERY
> > > intrusive for people. How are you going to correlate (and prove)
> > > that
> > when
> > > you type something like http://www.abadsite.com , you are typing it
> > > on
> > the
> > > descriptor of the web browser and not a text word processor. Too
> > > much noise for the data and too much invasion to privacy, never saw
> > > the point really apart from folk that due keystroke based user
> > > authentication,
> > which is
> > > very error prone and it logs only some keystrokes to work, not
> > everything.
> > >
> > > GM
> > >
> > > On 09/23/2010 05:41 PM, Marti, Robert wrote:
> > > > I'm a fan of auditing root keystrokes and shipping them off the
> > > > box -
> > you
> > > can see what happens if your server gets compromised or if you have
> > > a disgruntled employee by setting up alerts on the log correlation box.
> >  Plus it
> > > allows a historical view of an event that bash_history doesn't
> > > always - especially if the admin doesn't use a shell that has a
> > > history.  Auditing
> > normal
> > > users, however, typically isn't worth it.
> > > >
> > > > Rob Marti
> > > > Systems Administrator
> > > > Sam Houston State University
> > > > 936-294-3804 // rob at shsu.edu
> > > >
> > > >
> > > >> -----Original Message-----
> > > >> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> > > >> bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
> > > >> Sent: Thursday, September 23, 2010 10:29 AM
> > > >> To: General Red Hat Linux discussion list
> > > >> Subject: RE: User Auditing
> > > >>
> > > >> Marti, Robert wrote:
> > > >>> I haven't tried them, but do these track executing shell
> > > >>> commands from inside vim or other editors?  Or other ways of
> running commands?
> > > >>> (write a script, run it, delete the script)
> > > >>>
> > > >> It also strikes me as a) a great way to create an overwhelming
> > > >> amount of data; b) useless - consider the user edits a script,
> > > >> suspends the editing session, runs the script, forgrounds the
> > > >> editing session, and undoes whatever code they put in. Oh, and c)
> > > >> over-the-top Big Brother; I mean, there's oversight, and there's
> > > >> this: if there's this mistrust of the employees, then perhaps
> > > >> management should either hire trustworthy employees, or only
> > > >> allow trusted employees to work on the
> > > systems.
> > > >>
> > > >>            mark, *not* a fan of the idea.
> > > >>>> -----Original Message-----
> > > >>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> > > >>>> bounces at redhat.com] On Behalf Of Zbynek Vymazal
> > > >>>> Sent: Thursday, September 23, 2010 9:20 AM
> > > >>>> To: General Red Hat Linux discussion list
> > > >>>> Subject: RE: User Auditing
> > > >>>>
> > > >>>> Hi Rob,
> > > >>>>
> > > >>>> I'm logging command history of every user to remote syslog server.
> > > >>>> It requires two steps on client side:
> > > >>>>
> > > >>>> 1) Add following function to /etc/profile:
> > > >>>>
> > > >>>> function history_to_syslog
> > > >>>> {
> > > >>>>     declare command
> > > >>>>     command=$(fc -ln -0)
> > > >>>>     logger -p local7.notice -t bash -i -- $USER : $command }
> > > >>>> trap history_to_syslog DEBUG
> > > >>>>
> > > >>>> 2) Configure local syslog to resend logs to remote syslog
> > > >>>> (/etc/syslog-
> > > >>>> ng/syslog-ng.conf):
> > > >>>>
> > > >>>> # Send local messages to central syslog server
> > > >>>>
> > > >>>> filter f_filter7   { facility(local7); };
> > > >>>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
> > > >>>> source(s_sys); filter(f_filter7); destination(d_syslog_server);
> > > >>>> };
> > > >>>>
> > > >>>> Best regards,
> > > >>>>
> > > >>>> Zbynek Vymazal
> > > >>>>
> > > >>>> -----Original Message-----
> > > >>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> > > >>>> bounces at redhat.com] On Behalf Of Rob DeSanno
> > > >>>> Sent: Thursday, September 23, 2010 15:40
> > > >>>> To: General Red Hat Linux discussion list
> > > >>>> Subject: User Auditing
> > > >>>>
> > > >>>> This should be an easy question.
> > > >>>>
> > > >>>> I use Logwatch on all of my RHEL servers and would like for it
> > > >>>> to also report on all commands that any user had typed when
> > > >>>> logged in as well.
> > > >>>> Something along the lines of UID: Command to give me an idea of
> > > >>>> who was doing what at any given period of time.
> > > >>>>
> > > >>>> I tried using snoopy but that gave me much more than I was
> > > >>>> looking
> > > for.
> > > >>>> I'm
> > > >>>> now playing around with psacct and logger but was curious to
> > > >>>> know what everyone else out there uses to monitor user activity
> > > >>>> besides looking into everyone history file.
> > > >>>>
> > > >>>> Thanks in advance!
> > > >>>> ~Rob
> > > >>>> --
> > > >>>> redhat-list mailing list
> > > >>>> unsubscribe mailto:redhat-list-
> > > >> request at redhat.com?subject=unsubscribe
> > > >>>> https://www.redhat.com/mailman/listinfo/redhat-list
> > > >>>>
> > > >>>> --
> > > >>>> redhat-list mailing list
> > > >>>> unsubscribe mailto:redhat-list-
> > > >> request at redhat.com?subject=unsubscribe
> > > >>>> https://www.redhat.com/mailman/listinfo/redhat-list
> > > >>> --
> > > >>> redhat-list mailing list
> > > >>> unsubscribe
> > > >>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > >>> https://www.redhat.com/mailman/listinfo/redhat-list
> > > >>>
> > > >>
> > > >> --
> > > >> redhat-list mailing list
> > > >> unsubscribe mailto:redhat-list-
> > > request at redhat.com?subject=unsubscribe
> > > >> https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> > >
> > > --
> > > --
> > > George Magklaras
> > > Senior Systems Engineer/IT Manager
> > > Biotek Center, University of Oslo
> > > EMBnet TMPC Chair
> > >
> > > http://folk.uio.no/georgios
> > >
> > > Tel: +47 22840535
> > >
> > >
> > >
> > > --
> > > redhat-list mailing list
> > > unsubscribe
> > > mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list




More information about the redhat-list mailing list