Not only that, but you could also obfuscate the script. One user I
dealt with that attempted to evade detection perlcc-ed system call
wrapped commands into a binary file. Relying on the shell functionality
for these kinds of things is not wise (IMHO) to get reliable data about
who is doing what. Zbynek's recipe is great, simple, but it will not
really catch easily folks that know how to cover their tracks.
GM
On 09/23/2010 04:29 PM, Marti, Robert wrote:
I haven't tried them, but do these track executing shell commands from inside vim or other editors? Or other ways of running commands? (write a script, run it, delete the script)
Rob Marti
-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-
bounces@xxxxxxxxxx] On Behalf Of Zbynek Vymazal
Sent: Thursday, September 23, 2010 9:20 AM
To: General Red Hat Linux discussion list
Subject: RE: User Auditing
Hi Rob,
I'm logging command history of every user to remote syslog server. It
requires two steps on client side:
1) Add following function to /etc/profile:
function history_to_syslog
{
declare command
command=$(fc -ln -0)
logger -p local7.notice -t bash -i -- $USER : $command } trap
history_to_syslog DEBUG
2) Configure local syslog to resend logs to remote syslog (/etc/syslog-
ng/syslog-ng.conf):
# Send local messages to central syslog server
filter f_filter7 { facility(local7); };
destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log { source(s_sys);
filter(f_filter7); destination(d_syslog_server); };
Best regards,
Zbynek Vymazal
-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-
bounces@xxxxxxxxxx] On Behalf Of Rob DeSanno
Sent: Thursday, September 23, 2010 15:40
To: General Red Hat Linux discussion list
Subject: User Auditing
This should be an easy question.
I use Logwatch on all of my RHEL servers and would like for it to also report
on all commands that any user had typed when logged in as well.
Something along the lines of UID: Command to give me an idea of who was
doing what at any given period of time.
I tried using snoopy but that gave me much more than I was looking for. I'm
now playing around with psacct and logger but was curious to know what
everyone else out there uses to monitor user activity besides looking into
everyone history file.
Thanks in advance!
~Rob
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
--
George Magklaras
Senior Systems Engineer/IT Manager
Biotek Center, University of Oslo
EMBnet TMPC Chair
http://folk.uio.no/georgios
Tel: +47 22840535
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
