I'm a fan of auditing root keystrokes and shipping them off the box - you can see what happens if your server gets compromised or if you have a disgruntled employee by setting up alerts on the log correlation box. Plus it allows a historical view of an event that bash_history doesn't always - especially if the admin doesn't use a shell that has a history. Auditing normal users, however, typically isn't worth it. Rob Marti Systems Administrator Sam Houston State University 936-294-3804 // rob@xxxxxxxx > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx > Sent: Thursday, September 23, 2010 10:29 AM > To: General Red Hat Linux discussion list > Subject: RE: User Auditing > > Marti, Robert wrote: > > I haven't tried them, but do these track executing shell commands from > > inside vim or other editors? Or other ways of running commands? > > (write a script, run it, delete the script) > > > It also strikes me as a) a great way to create an overwhelming amount of > data; b) useless - consider the user edits a script, suspends the editing > session, runs the script, forgrounds the editing session, and undoes > whatever code they put in. Oh, and c) over-the-top Big Brother; I mean, > there's oversight, and there's this: if there's this mistrust of the employees, > then perhaps management should either hire trustworthy employees, or > only allow trusted employees to work on the systems. > > mark, *not* a fan of the idea. > > > >> -----Original Message----- > >> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > >> bounces@xxxxxxxxxx] On Behalf Of Zbynek Vymazal > >> Sent: Thursday, September 23, 2010 9:20 AM > >> To: General Red Hat Linux discussion list > >> Subject: RE: User Auditing > >> > >> Hi Rob, > >> > >> I'm logging command history of every user to remote syslog server. It > >> requires two steps on client side: > >> > >> 1) Add following function to /etc/profile: > >> > >> function history_to_syslog > >> { > >> declare command > >> command=$(fc -ln -0) > >> logger -p local7.notice -t bash -i -- $USER : $command } trap > >> history_to_syslog DEBUG > >> > >> 2) Configure local syslog to resend logs to remote syslog > >> (/etc/syslog- > >> ng/syslog-ng.conf): > >> > >> # Send local messages to central syslog server > >> > >> filter f_filter7 { facility(local7); }; > >> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log { > >> source(s_sys); filter(f_filter7); destination(d_syslog_server); }; > >> > >> Best regards, > >> > >> Zbynek Vymazal > >> > >> -----Original Message----- > >> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > >> bounces@xxxxxxxxxx] On Behalf Of Rob DeSanno > >> Sent: Thursday, September 23, 2010 15:40 > >> To: General Red Hat Linux discussion list > >> Subject: User Auditing > >> > >> This should be an easy question. > >> > >> I use Logwatch on all of my RHEL servers and would like for it to > >> also report on all commands that any user had typed when logged in as > >> well. > >> Something along the lines of UID: Command to give me an idea of who > >> was doing what at any given period of time. > >> > >> I tried using snoopy but that gave me much more than I was looking for. > >> I'm > >> now playing around with psacct and logger but was curious to know > >> what everyone else out there uses to monitor user activity besides > >> looking into everyone history file. > >> > >> Thanks in advance! > >> ~Rob > >> -- > >> redhat-list mailing list > >> unsubscribe mailto:redhat-list- > request@xxxxxxxxxx?subject=unsubscribe > >> https://www.redhat.com/mailman/listinfo/redhat-list > >> > >> -- > >> redhat-list mailing list > >> unsubscribe mailto:redhat-list- > request@xxxxxxxxxx?subject=unsubscribe > >> https://www.redhat.com/mailman/listinfo/redhat-list > > > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
