Re: Audit trail for root?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MJeremy C. Reed at <-
MBrant Evans at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: George Toft
Date:  
To: Main PLUG discussion list
Subject: Re: Audit trail for root?
sooo close!

psacct does everything we need except log the parameterd to the command.
This is important as it simply shows I ran a command - not what I
really did: 

[root@ServerABB account]# lastcomm --user root
lastcomm                root     pts/0      0.01 secs Wed Aug  1 21:19
man                     root     pts/0      0.04 secs Wed Aug  1 21:19
sh                      root     pts/0      0.00 secs Wed Aug  1 21:19
sh                      root     pts/0      0.00 secs Wed Aug  1 21:19
less                    root     pts/0      0.00 secs Wed Aug  1 21:19



man lastcomm does not indicated I can do that, either.

George Toft, CISSP, MSIS
623-203-1760




Jeremy C. Reed wrote:
> On Wed, 1 Aug 2007, George Toft wrote:
>
>
>>I am searching for a solution. Client company is looking for a means to
>>track all commands issued by root. PowerBroker has already been
>>excluded as it will cost over $1M to deploy. Product must be
>>inexpensive and supported.
>>
>>I've researched this a bit already, and came up with sudoshell (no
>>development since 2004) and modifying the bash source code and
>>recompiling. Neither solution is acceptable.
>>
>>Any ideas?
>
>
> How much detail do you need? BSD systems have accounting of all commands
> that can be easily enabled -- it has been useful for me.
>
> Linux has similar capability. Some old links:
>
> http://www.ibiblio.org/pub/Linux/system/admin/accounts/acct-1.3.73.lsm
> (source in same directory)
> http://directory.fsf.org/acct.html
> http://www.faqs.org/docs/Linux-mini/Process-Accounting.html
> http://www.linuxjournal.com/article/6144
>
> Some of my customers use atop. (I installed it recently on CentOS.)
> I found some links:
>
> http://www.atconsultancy.nl/atop/
> http://aplawrence.com/Words2005/2005_07_09.html
>
> These both keep logs.
>
> If they don't record what you want, let us know. (Also FreeBSD recently
> gained "security event auditing" which has some portable code for Linux
> called OpenBSM ("M" on the end there).
>
> Jeremy C. Reed
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: OOPS... I hosed it again....Re: Audit trail for root?->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)