Re: Audit trail for root?

Inizio della pagina
Allegati:
Messaggio come e-mail
+ (text/plain)
Delete this message
Reply to this message
Autore: Jeremy C. Reed
Data:  
To: Main PLUG discussion list
Oggetto: Re: Audit trail for root?
On Wed, 1 Aug 2007, George Toft wrote:

> I am searching for a solution. Client company is looking for a means to
> track all commands issued by root. PowerBroker has already been
> excluded as it will cost over $1M to deploy. Product must be
> inexpensive and supported.
>
> I've researched this a bit already, and came up with sudoshell (no
> development since 2004) and modifying the bash source code and
> recompiling. Neither solution is acceptable.
>
> Any ideas?


How much detail do you need? BSD systems have accounting of all commands
that can be easily enabled -- it has been useful for me.

Linux has similar capability. Some old links:

http://www.ibiblio.org/pub/Linux/system/admin/accounts/acct-1.3.73.lsm
(source in same directory)
http://directory.fsf.org/acct.html
http://www.faqs.org/docs/Linux-mini/Process-Accounting.html
http://www.linuxjournal.com/article/6144

Some of my customers use atop. (I installed it recently on CentOS.)
I found some links:

http://www.atconsultancy.nl/atop/
http://aplawrence.com/Words2005/2005_07_09.html

These both keep logs.

If they don't record what you want, let us know. (Also FreeBSD recently
gained "security event auditing" which has some portable code for Linux
called OpenBSM ("M" on the end there).

Jeremy C. Reed
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss