Re: User Auditing

m.roth@xxxxxxxxx · Thu, 23 Sep 2010 14:32:33 -0400

Rob DeSanno wrote:
> Let me tell you why I want this for the sake of this discussion:
>
> We have servers in our environment by which multiple people (inside and
> out)
> can issue commands as either themselves or as root (under sudo of course).
> While I would prefer that everything goes through me for changes, that is
> not practical here. I want to be informed on what these people/vendors are
> doing to my systems at all times and would rather know than to not know,
> if that makes sense. It's not 100% about security either but to give me a
> sense of what is happening in the environment that I am supporting.

Have you already limited what commands some of these folks can use with
/etc/sudoers?

        mark
>
> On Thu, Sep 23, 2010 at 12:43 PM, Marti, Robert <RJM002@xxxxxxxx> wrote:
>
>> Why is there a browser (text or otherwise) installed on the server?
>> And the pam bit that logs keystrokes to auditd does log every keypress.
>> And it logs the program you were typing in.
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=483086 is the functionality
>> I'm describing.
>>
>> Like I said - I only use it to log for root.  People should not be
>> considering actions done as root to be private.
>>
>> Rob Marti
>>
>> > -----Original Message-----
>> > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-
>> > bounces@xxxxxxxxxx] On Behalf Of Georgios Magklaras
>> > Sent: Thursday, September 23, 2010 11:12 AM
>> > To: General Red Hat Linux discussion list
>> > Subject: Re: User Auditing
>> >
>> >   Auditing keystrokes will not always reveal the whole picture and is
>> VERY
>> > intrusive for people. How are you going to correlate (and prove) that
>> when
>> > you type something like http://www.abadsite.com , you are typing it on
>> the
>> > descriptor of the web browser and not a text word processor. Too much
>> > noise for the data and too much invasion to privacy, never saw the
>> point
>> > really apart from folk that due keystroke based user authentication,
>> which is
>> > very error prone and it logs only some keystrokes to work, not
>> everything.
>> >
>> > GM
>> >
>> > On 09/23/2010 05:41 PM, Marti, Robert wrote:
>> > > I'm a fan of auditing root keystrokes and shipping them off the box
>> -
>> you
>> > can see what happens if your server gets compromised or if you have a
>> > disgruntled employee by setting up alerts on the log correlation box.
>>  Plus it
>> > allows a historical view of an event that bash_history doesn't always
>> -
>> > especially if the admin doesn't use a shell that has a history.
>> Auditing
>> normal
>> > users, however, typically isn't worth it.
>> > >
>> > > Rob Marti
>> > > Systems Administrator
>> > > Sam Houston State University
>> > > 936-294-3804 // rob@xxxxxxxx
>> > >
>> > >
>> > >> -----Original Message-----
>> > >> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-
>> > >> bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx
>> > >> Sent: Thursday, September 23, 2010 10:29 AM
>> > >> To: General Red Hat Linux discussion list
>> > >> Subject: RE: User Auditing
>> > >>
>> > >> Marti, Robert wrote:
>> > >>> I haven't tried them, but do these track executing shell commands
>> > >>> from inside vim or other editors?  Or other ways of running
>> commands?
>> > >>> (write a script, run it, delete the script)
>> > >>>
>> > >> It also strikes me as a) a great way to create an overwhelming
>> amount
>> > >> of data; b) useless - consider the user edits a script, suspends
>> the
>> > >> editing session, runs the script, forgrounds the editing session,
>> and
>> > >> undoes whatever code they put in. Oh, and c) over-the-top Big
>> > >> Brother; I mean, there's oversight, and there's this: if there's
>> this
>> > >> mistrust of the employees, then perhaps management should either
>> hire
>> > >> trustworthy employees, or only allow trusted employees to work on
>> the
>> > systems.
>> > >>
>> > >>            mark, *not* a fan of the idea.
>> > >>>> -----Original Message-----
>> > >>>> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-
>> > >>>> bounces@xxxxxxxxxx] On Behalf Of Zbynek Vymazal
>> > >>>> Sent: Thursday, September 23, 2010 9:20 AM
>> > >>>> To: General Red Hat Linux discussion list
>> > >>>> Subject: RE: User Auditing
>> > >>>>
>> > >>>> Hi Rob,
>> > >>>>
>> > >>>> I'm logging command history of every user to remote syslog
>> server.
>> > >>>> It requires two steps on client side:
>> > >>>>
>> > >>>> 1) Add following function to /etc/profile:
>> > >>>>
>> > >>>> function history_to_syslog
>> > >>>> {
>> > >>>>     declare command
>> > >>>>     command=$(fc -ln -0)
>> > >>>>     logger -p local7.notice -t bash -i -- $USER : $command } trap
>> > >>>> history_to_syslog DEBUG
>> > >>>>
>> > >>>> 2) Configure local syslog to resend logs to remote syslog
>> > >>>> (/etc/syslog-
>> > >>>> ng/syslog-ng.conf):
>> > >>>>
>> > >>>> # Send local messages to central syslog server
>> > >>>>
>> > >>>> filter f_filter7   { facility(local7); };
>> > >>>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
>> > >>>> source(s_sys); filter(f_filter7); destination(d_syslog_server);
>> };
>> > >>>>
>> > >>>> Best regards,
>> > >>>>
>> > >>>> Zbynek Vymazal
>> > >>>>
>> > >>>> -----Original Message-----
>> > >>>> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-
>> > >>>> bounces@xxxxxxxxxx] On Behalf Of Rob DeSanno
>> > >>>> Sent: Thursday, September 23, 2010 15:40
>> > >>>> To: General Red Hat Linux discussion list
>> > >>>> Subject: User Auditing
>> > >>>>
>> > >>>> This should be an easy question.
>> > >>>>
>> > >>>> I use Logwatch on all of my RHEL servers and would like for it to
>> > >>>> also report on all commands that any user had typed when logged
>> in
>> > >>>> as well.
>> > >>>> Something along the lines of UID: Command to give me an idea of
>> who
>> > >>>> was doing what at any given period of time.
>> > >>>>
>> > >>>> I tried using snoopy but that gave me much more than I was
>> looking
>> > for.
>> > >>>> I'm
>> > >>>> now playing around with psacct and logger but was curious to know
>> > >>>> what everyone else out there uses to monitor user activity
>> besides
>> > >>>> looking into everyone history file.
>> > >>>>
>> > >>>> Thanks in advance!
>> > >>>> ~Rob
>> > >>>> --
>> > >>>> redhat-list mailing list
>> > >>>> unsubscribe mailto:redhat-list-
>> > >> request@xxxxxxxxxx?subject=unsubscribe
>> > >>>> https://www.redhat.com/mailman/listinfo/redhat-list
>> > >>>>
>> > >>>> --
>> > >>>> redhat-list mailing list
>> > >>>> unsubscribe mailto:redhat-list-
>> > >> request@xxxxxxxxxx?subject=unsubscribe
>> > >>>> https://www.redhat.com/mailman/listinfo/redhat-list
>> > >>> --
>> > >>> redhat-list mailing list
>> > >>> unsubscribe
>> > >>> mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
>> > >>> https://www.redhat.com/mailman/listinfo/redhat-list
>> > >>>
>> > >>
>> > >> --
>> > >> redhat-list mailing list
>> > >> unsubscribe mailto:redhat-list-
>> > request@xxxxxxxxxx?subject=unsubscribe
>> > >> https://www.redhat.com/mailman/listinfo/redhat-list
>> >
>> >
>> > --
>> > --
>> > George Magklaras
>> > Senior Systems Engineer/IT Manager
>> > Biotek Center, University of Oslo
>> > EMBnet TMPC Chair
>> >
>> > http://folk.uio.no/georgios
>> >
>> > Tel: +47 22840535
>> >
>> >
>> >
>> > --
>> > redhat-list mailing list
>> > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
>> > https://www.redhat.com/mailman/listinfo/redhat-list
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list