Thanks all for the good suggestions. I'm giving Zbynek's solution a try right now and understand the limitations but it's better than what I have at the moment. On Thu, Sep 23, 2010 at 10:41 AM, Georgios Magklaras <georgios@xxxxxxxxxxxxx > wrote: > Not only that, but you could also obfuscate the script. One user I dealt > with that attempted to evade detection perlcc-ed system call wrapped > commands into a binary file. Relying on the shell functionality for these > kinds of things is not wise (IMHO) to get reliable data about who is doing > what. Zbynek's recipe is great, simple, but it will not really catch easily > folks that know how to cover their tracks. > > GM > > > On 09/23/2010 04:29 PM, Marti, Robert wrote: > >> I haven't tried them, but do these track executing shell commands from >> inside vim or other editors? Or other ways of running commands? (write a >> script, run it, delete the script) >> >> Rob Marti >> >> -----Original Message----- >>> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- >>> bounces@xxxxxxxxxx] On Behalf Of Zbynek Vymazal >>> Sent: Thursday, September 23, 2010 9:20 AM >>> To: General Red Hat Linux discussion list >>> Subject: RE: User Auditing >>> >>> Hi Rob, >>> >>> I'm logging command history of every user to remote syslog server. It >>> requires two steps on client side: >>> >>> 1) Add following function to /etc/profile: >>> >>> function history_to_syslog >>> { >>> declare command >>> command=$(fc -ln -0) >>> logger -p local7.notice -t bash -i -- $USER : $command } trap >>> history_to_syslog DEBUG >>> >>> 2) Configure local syslog to resend logs to remote syslog (/etc/syslog- >>> ng/syslog-ng.conf): >>> >>> # Send local messages to central syslog server >>> >>> filter f_filter7 { facility(local7); }; >>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log { >>> source(s_sys); >>> filter(f_filter7); destination(d_syslog_server); }; >>> >>> Best regards, >>> >>> Zbynek Vymazal >>> >>> -----Original Message----- >>> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- >>> bounces@xxxxxxxxxx] On Behalf Of Rob DeSanno >>> Sent: Thursday, September 23, 2010 15:40 >>> To: General Red Hat Linux discussion list >>> Subject: User Auditing >>> >>> This should be an easy question. >>> >>> I use Logwatch on all of my RHEL servers and would like for it to also >>> report >>> on all commands that any user had typed when logged in as well. >>> Something along the lines of UID: Command to give me an idea of who was >>> doing what at any given period of time. >>> >>> I tried using snoopy but that gave me much more than I was looking for. >>> I'm >>> now playing around with psacct and logger but was curious to know what >>> everyone else out there uses to monitor user activity besides looking >>> into >>> everyone history file. >>> >>> Thanks in advance! >>> ~Rob >>> -- >>> redhat-list mailing list >>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >>> https://www.redhat.com/mailman/listinfo/redhat-list >>> >>> -- >>> redhat-list mailing list >>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >>> https://www.redhat.com/mailman/listinfo/redhat-list >>> >> > > -- > -- > George Magklaras > Senior Systems Engineer/IT Manager > Biotek Center, University of Oslo > EMBnet TMPC Chair > > http://folk.uio.no/georgios > > Tel: +47 22840535 > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
