Audit trail for root?
George Toft
george at georgetoft.com
Thu Aug 2 05:40:17 MST 2007
Thanks Brant,
Unfortunately, that 2.6 kernel thing is a deal buster as they use 2.4
kernels.
However, this is pretty cool - thanks for the info!
George Toft, CISSP, MSIS
623-203-1760
Brant Evans wrote:
> George,
>
> Look into LAuS (Linux Audit Subsystem). It has the ability to watch
> commands as well as system calls. I don't remember if it records
> command-line options or not.
>
> LAuS is in 2.6 kernels. To get started look at the man pages for
> auditd and auditctl.
>
> Brant Evans
>
>
> On 8/1/07, George Toft <george at georgetoft.com> wrote:
>
>>sooo close!
>>
>>psacct does everything we need except log the parameterd to the command.
>> This is important as it simply shows I ran a command - not what I
>>really did:
>>
>>[root at ServerABB account]# lastcomm --user root
>>lastcomm root pts/0 0.01 secs Wed Aug 1 21:19
>>man root pts/0 0.04 secs Wed Aug 1 21:19
>>sh root pts/0 0.00 secs Wed Aug 1 21:19
>>sh root pts/0 0.00 secs Wed Aug 1 21:19
>>less root pts/0 0.00 secs Wed Aug 1 21:19
>>
>>
>>man lastcomm does not indicated I can do that, either.
>>
>>George Toft, CISSP, MSIS
>>623-203-1760
>>
>>
>>
>>
>>Jeremy C. Reed wrote:
>>
>>>On Wed, 1 Aug 2007, George Toft wrote:
>>>
>>>
>>>
>>>>I am searching for a solution. Client company is looking for a means to
>>>>track all commands issued by root. PowerBroker has already been
>>>>excluded as it will cost over $1M to deploy. Product must be
>>>>inexpensive and supported.
>>>>
>>>>I've researched this a bit already, and came up with sudoshell (no
>>>>development since 2004) and modifying the bash source code and
>>>>recompiling. Neither solution is acceptable.
>>>>
>>>>Any ideas?
>>>
>>>
>>>How much detail do you need? BSD systems have accounting of all commands
>>>that can be easily enabled -- it has been useful for me.
>>>
>>>Linux has similar capability. Some old links:
>>>
>>>http://www.ibiblio.org/pub/Linux/system/admin/accounts/acct-1.3.73.lsm
>>>(source in same directory)
>>>http://directory.fsf.org/acct.html
>>>http://www.faqs.org/docs/Linux-mini/Process-Accounting.html
>>>http://www.linuxjournal.com/article/6144
>>>
>>>Some of my customers use atop. (I installed it recently on CentOS.)
>>>I found some links:
>>>
>>>http://www.atconsultancy.nl/atop/
>>>http://aplawrence.com/Words2005/2005_07_09.html
>>>
>>>These both keep logs.
>>>
>>>If they don't record what you want, let us know. (Also FreeBSD recently
>>>gained "security event auditing" which has some portable code for Linux
>>>called OpenBSM ("M" on the end there).
>>>
>>> Jeremy C. Reed
>>>---------------------------------------------------
>>>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>>To subscribe, unsubscribe, or to change your mail settings:
>>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>>
>>
>>---------------------------------------------------
>>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>To subscribe, unsubscribe, or to change your mail settings:
>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
More information about the PLUG-discuss
mailing list