Audit trail for root?
Jeremy C. Reed
reed at reedmedia.net
Wed Aug 1 17:01:48 MST 2007
On Wed, 1 Aug 2007, George Toft wrote:
> I am searching for a solution. Client company is looking for a means to
> track all commands issued by root. PowerBroker has already been
> excluded as it will cost over $1M to deploy. Product must be
> inexpensive and supported.
>
> I've researched this a bit already, and came up with sudoshell (no
> development since 2004) and modifying the bash source code and
> recompiling. Neither solution is acceptable.
>
> Any ideas?
How much detail do you need? BSD systems have accounting of all commands
that can be easily enabled -- it has been useful for me.
Linux has similar capability. Some old links:
http://www.ibiblio.org/pub/Linux/system/admin/accounts/acct-1.3.73.lsm
(source in same directory)
http://directory.fsf.org/acct.html
http://www.faqs.org/docs/Linux-mini/Process-Accounting.html
http://www.linuxjournal.com/article/6144
Some of my customers use atop. (I installed it recently on CentOS.)
I found some links:
http://www.atconsultancy.nl/atop/
http://aplawrence.com/Words2005/2005_07_09.html
These both keep logs.
If they don't record what you want, let us know. (Also FreeBSD recently
gained "security event auditing" which has some portable code for Linux
called OpenBSM ("M" on the end there).
Jeremy C. Reed
More information about the PLUG-discuss
mailing list