User Auditing

Rob DeSanno rdesanno at gmail.com
Thu Sep 23 19:03:11 UTC 2010 

At this point, somewhat. Right now they are co-managed and they are
assisting us in building the application layer on it which sometimes
requires root access.

On Thu, Sep 23, 2010 at 2:32 PM, <m.roth at 5-cent.us> wrote:

> Rob DeSanno wrote:
> > Let me tell you why I want this for the sake of this discussion:
> >
> > We have servers in our environment by which multiple people (inside and
> > out)
> > can issue commands as either themselves or as root (under sudo of
> course).
> > While I would prefer that everything goes through me for changes, that is
> > not practical here. I want to be informed on what these people/vendors
> are
> > doing to my systems at all times and would rather know than to not know,
> > if that makes sense. It's not 100% about security either but to give me a
> > sense of what is happening in the environment that I am supporting.
>
> Have you already limited what commands some of these folks can use with
> /etc/sudoers?
>
>        mark
> >
> > On Thu, Sep 23, 2010 at 12:43 PM, Marti, Robert <RJM002 at shsu.edu> wrote:
> >
> >> Why is there a browser (text or otherwise) installed on the server?
> >> And the pam bit that logs keystrokes to auditd does log every keypress.
> >> And it logs the program you were typing in.
> >>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=483086 is the functionality
> >> I'm describing.
> >>
> >> Like I said - I only use it to log for root.  People should not be
> >> considering actions done as root to be private.
> >>
> >> Rob Marti
> >>
> >> > -----Original Message-----
> >> > From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> >> > bounces at redhat.com] On Behalf Of Georgios Magklaras
> >> > Sent: Thursday, September 23, 2010 11:12 AM
> >> > To: General Red Hat Linux discussion list
> >> > Subject: Re: User Auditing
> >> >
> >> >   Auditing keystrokes will not always reveal the whole picture and is
> >> VERY
> >> > intrusive for people. How are you going to correlate (and prove) that
> >> when
> >> > you type something like http://www.abadsite.com , you are typing it
> on
> >> the
> >> > descriptor of the web browser and not a text word processor. Too much
> >> > noise for the data and too much invasion to privacy, never saw the
> >> point
> >> > really apart from folk that due keystroke based user authentication,
> >> which is
> >> > very error prone and it logs only some keystrokes to work, not
> >> everything.
> >> >
> >> > GM
> >> >
> >> > On 09/23/2010 05:41 PM, Marti, Robert wrote:
> >> > > I'm a fan of auditing root keystrokes and shipping them off the box
> >> -
> >> you
> >> > can see what happens if your server gets compromised or if you have a
> >> > disgruntled employee by setting up alerts on the log correlation box.
> >>  Plus it
> >> > allows a historical view of an event that bash_history doesn't always
> >> -
> >> > especially if the admin doesn't use a shell that has a history.
> >> Auditing
> >> normal
> >> > users, however, typically isn't worth it.
> >> > >
> >> > > Rob Marti
> >> > > Systems Administrator
> >> > > Sam Houston State University
> >> > > 936-294-3804 // rob at shsu.edu
> >> > >
> >> > >
> >> > >> -----Original Message-----
> >> > >> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> >> > >> bounces at redhat.com] On Behalf Of m.roth at 5-cent.us
> >> > >> Sent: Thursday, September 23, 2010 10:29 AM
> >> > >> To: General Red Hat Linux discussion list
> >> > >> Subject: RE: User Auditing
> >> > >>
> >> > >> Marti, Robert wrote:
> >> > >>> I haven't tried them, but do these track executing shell commands
> >> > >>> from inside vim or other editors?  Or other ways of running
> >> commands?
> >> > >>> (write a script, run it, delete the script)
> >> > >>>
> >> > >> It also strikes me as a) a great way to create an overwhelming
> >> amount
> >> > >> of data; b) useless - consider the user edits a script, suspends
> >> the
> >> > >> editing session, runs the script, forgrounds the editing session,
> >> and
> >> > >> undoes whatever code they put in. Oh, and c) over-the-top Big
> >> > >> Brother; I mean, there's oversight, and there's this: if there's
> >> this
> >> > >> mistrust of the employees, then perhaps management should either
> >> hire
> >> > >> trustworthy employees, or only allow trusted employees to work on
> >> the
> >> > systems.
> >> > >>
> >> > >>            mark, *not* a fan of the idea.
> >> > >>>> -----Original Message-----
> >> > >>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> >> > >>>> bounces at redhat.com] On Behalf Of Zbynek Vymazal
> >> > >>>> Sent: Thursday, September 23, 2010 9:20 AM
> >> > >>>> To: General Red Hat Linux discussion list
> >> > >>>> Subject: RE: User Auditing
> >> > >>>>
> >> > >>>> Hi Rob,
> >> > >>>>
> >> > >>>> I'm logging command history of every user to remote syslog
> >> server.
> >> > >>>> It requires two steps on client side:
> >> > >>>>
> >> > >>>> 1) Add following function to /etc/profile:
> >> > >>>>
> >> > >>>> function history_to_syslog
> >> > >>>> {
> >> > >>>>     declare command
> >> > >>>>     command=$(fc -ln -0)
> >> > >>>>     logger -p local7.notice -t bash -i -- $USER : $command } trap
> >> > >>>> history_to_syslog DEBUG
> >> > >>>>
> >> > >>>> 2) Configure local syslog to resend logs to remote syslog
> >> > >>>> (/etc/syslog-
> >> > >>>> ng/syslog-ng.conf):
> >> > >>>>
> >> > >>>> # Send local messages to central syslog server
> >> > >>>>
> >> > >>>> filter f_filter7   { facility(local7); };
> >> > >>>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
> >> > >>>> source(s_sys); filter(f_filter7); destination(d_syslog_server);
> >> };
> >> > >>>>
> >> > >>>> Best regards,
> >> > >>>>
> >> > >>>> Zbynek Vymazal
> >> > >>>>
> >> > >>>> -----Original Message-----
> >> > >>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> >> > >>>> bounces at redhat.com] On Behalf Of Rob DeSanno
> >> > >>>> Sent: Thursday, September 23, 2010 15:40
> >> > >>>> To: General Red Hat Linux discussion list
> >> > >>>> Subject: User Auditing
> >> > >>>>
> >> > >>>> This should be an easy question.
> >> > >>>>
> >> > >>>> I use Logwatch on all of my RHEL servers and would like for it to
> >> > >>>> also report on all commands that any user had typed when logged
> >> in
> >> > >>>> as well.
> >> > >>>> Something along the lines of UID: Command to give me an idea of
> >> who
> >> > >>>> was doing what at any given period of time.
> >> > >>>>
> >> > >>>> I tried using snoopy but that gave me much more than I was
> >> looking
> >> > for.
> >> > >>>> I'm
> >> > >>>> now playing around with psacct and logger but was curious to know
> >> > >>>> what everyone else out there uses to monitor user activity
> >> besides
> >> > >>>> looking into everyone history file.
> >> > >>>>
> >> > >>>> Thanks in advance!
> >> > >>>> ~Rob
> >> > >>>> --
> >> > >>>> redhat-list mailing list
> >> > >>>> unsubscribe mailto:redhat-list-
> >> > >> request at redhat.com?subject=unsubscribe
> >> > >>>> https://www.redhat.com/mailman/listinfo/redhat-list
> >> > >>>>
> >> > >>>> --
> >> > >>>> redhat-list mailing list
> >> > >>>> unsubscribe mailto:redhat-list-
> >> > >> request at redhat.com?subject=unsubscribe
> >> > >>>> https://www.redhat.com/mailman/listinfo/redhat-list
> >> > >>> --
> >> > >>> redhat-list mailing list
> >> > >>> unsubscribe
> >> > >>> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> >> > >>> https://www.redhat.com/mailman/listinfo/redhat-list
> >> > >>>
> >> > >>
> >> > >> --
> >> > >> redhat-list mailing list
> >> > >> unsubscribe mailto:redhat-list-
> >> > request at redhat.com?subject=unsubscribe
> >> > >> https://www.redhat.com/mailman/listinfo/redhat-list
> >> >
> >> >
> >> > --
> >> > --
> >> > George Magklaras
> >> > Senior Systems Engineer/IT Manager
> >> > Biotek Center, University of Oslo
> >> > EMBnet TMPC Chair
> >> >
> >> > http://folk.uio.no/georgios
> >> >
> >> > Tel: +47 22840535
> >> >
> >> >
> >> >
> >> > --
> >> > redhat-list mailing list
> >> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> >> > https://www.redhat.com/mailman/listinfo/redhat-list
> >>
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >>
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list