Casper Helenius wrote: > I need to log every root activity on my Gentoo server, running syslog-ng. > > I need to log logins (and, if possible, logouts) both by root or by > users SUDO'ing. I need to log which commands are executed as well as > their parameters. The only way to achieve the last part is to log the raw connection with e.g. ttysnoop. Even then, there are way to get around it (e.g. upload a program and run that; unless you log all of the ways a program can be uploaded, you won't know what they're actually running). Process accounting (CONFIG_BSD_PROCESS_ACCT) will log which programs are run, but not their arguments or inputs. Finally, anyone with unrestricted root privilege can disable or otherwise interfere with logging. And if you're keeping the log files locally (rather than using a separate logging server or a printer), they can edit them. -- Glynn Clements <glynn@xxxxxxxxxxxxxxxxxx> - : send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
