Audit trail for root?

Brant Evans brant.evans at gmail.com
Thu Aug 2 13:34:35 MST 2007


Just a thought...If the client is running RHEL3 there was an update
(Update 2 I believe and then enhancements in Update 3) that introduced
the LAuS functionality.

On 8/2/07, George Toft <george at georgetoft.com> wrote:
> Thanks Brant,
>
> Unfortunately, that 2.6 kernel thing is a deal buster as they use 2.4
> kernels.
>
> However, this is pretty cool - thanks for the info!
>
> George Toft, CISSP, MSIS
> 623-203-1760
>
>
>
>
> Brant Evans wrote:
> > George,
> >
> > Look into LAuS (Linux Audit Subsystem). It has the ability to watch
> > commands as well as system calls. I don't remember if it records
> > command-line options or not.
> >
> > LAuS is in 2.6 kernels. To get started look at the man pages for
> > auditd and auditctl.
> >
> > Brant Evans
> >
> >
> > On 8/1/07, George Toft <george at georgetoft.com> wrote:
> >
> >>sooo close!
> >>
> >>psacct does everything we need except log the parameterd to the command.
> >>  This is important as it simply shows I ran a command - not what I
> >>really did:
> >>
> >>[root at ServerABB account]# lastcomm --user root
> >>lastcomm                root     pts/0      0.01 secs Wed Aug  1 21:19
> >>man                     root     pts/0      0.04 secs Wed Aug  1 21:19
> >>sh                      root     pts/0      0.00 secs Wed Aug  1 21:19
> >>sh                      root     pts/0      0.00 secs Wed Aug  1 21:19
> >>less                    root     pts/0      0.00 secs Wed Aug  1 21:19
> >>
> >>
> >>man lastcomm does not indicated I can do that, either.
> >>
> >>George Toft, CISSP, MSIS
> >>623-203-1760
> >>
> >>
> >>
> >>
> >>Jeremy C. Reed wrote:
> >>
> >>>On Wed, 1 Aug 2007, George Toft wrote:
> >>>
> >>>
> >>>
> >>>>I am searching for a solution.  Client company is looking for a means to
> >>>>track all commands issued by root.  PowerBroker has already been
> >>>>excluded as it will cost over $1M to deploy.  Product must be
> >>>>inexpensive and supported.
> >>>>
> >>>>I've researched this a bit already, and came up with sudoshell (no
> >>>>development since 2004) and modifying the bash source code and
> >>>>recompiling.  Neither solution is acceptable.
> >>>>
> >>>>Any ideas?
> >>>
> >>>
> >>>How much detail do you need? BSD systems have accounting of all commands
> >>>that can be easily enabled -- it has been useful for me.
> >>>
> >>>Linux has similar capability. Some old links:
> >>>
> >>>http://www.ibiblio.org/pub/Linux/system/admin/accounts/acct-1.3.73.lsm
> >>>(source in same directory)
> >>>http://directory.fsf.org/acct.html
> >>>http://www.faqs.org/docs/Linux-mini/Process-Accounting.html
> >>>http://www.linuxjournal.com/article/6144
> >>>
> >>>Some of my customers use atop. (I installed it recently on CentOS.)
> >>>I found some links:
> >>>
> >>>http://www.atconsultancy.nl/atop/
> >>>http://aplawrence.com/Words2005/2005_07_09.html
> >>>
> >>>These both keep logs.
> >>>
> >>>If they don't record what you want, let us know. (Also FreeBSD recently
> >>>gained "security event auditing" which has some portable code for Linux
> >>>called OpenBSM ("M" on the end there).
> >>>
> >>>  Jeremy C. Reed
> >>>---------------------------------------------------
> >>>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> >>>To subscribe, unsubscribe, or to change your mail settings:
> >>>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >>>
> >>>
> >>
> >>---------------------------------------------------
> >>PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> >>To subscribe, unsubscribe, or to change your mail settings:
> >>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >>
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> >
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>


More information about the PLUG-discuss mailing list