Right, which is exactly what we use it for. Red Hat supported and everything. Rob Marti > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > bounces@xxxxxxxxxx] On Behalf Of Rob DeSanno > Sent: Thursday, September 23, 2010 1:07 PM > To: General Red Hat Linux discussion list > Subject: Re: User Auditing > > Let me tell you why I want this for the sake of this discussion: > > We have servers in our environment by which multiple people (inside and > out) can issue commands as either themselves or as root (under sudo of > course). > While I would prefer that everything goes through me for changes, that is > not practical here. I want to be informed on what these people/vendors are > doing to my systems at all times and would rather know than to not know, if > that makes sense. It's not 100% about security either but to give me a sense > of what is happening in the environment that I am supporting. > > On Thu, Sep 23, 2010 at 12:43 PM, Marti, Robert <RJM002@xxxxxxxx> wrote: > > > Why is there a browser (text or otherwise) installed on the server? > > And the pam bit that logs keystrokes to auditd does log every keypress. > > And it logs the program you were typing in. > > > > https://bugzilla.redhat.com/show_bug.cgi?id=483086 is the > > functionality I'm describing. > > > > Like I said - I only use it to log for root. People should not be > > considering actions done as root to be private. > > > > Rob Marti > > > > > -----Original Message----- > > > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > > > bounces@xxxxxxxxxx] On Behalf Of Georgios Magklaras > > > Sent: Thursday, September 23, 2010 11:12 AM > > > To: General Red Hat Linux discussion list > > > Subject: Re: User Auditing > > > > > > Auditing keystrokes will not always reveal the whole picture and > > > is > > VERY > > > intrusive for people. How are you going to correlate (and prove) > > > that > > when > > > you type something like http://www.abadsite.com , you are typing it > > > on > > the > > > descriptor of the web browser and not a text word processor. Too > > > much noise for the data and too much invasion to privacy, never saw > > > the point really apart from folk that due keystroke based user > > > authentication, > > which is > > > very error prone and it logs only some keystrokes to work, not > > everything. > > > > > > GM > > > > > > On 09/23/2010 05:41 PM, Marti, Robert wrote: > > > > I'm a fan of auditing root keystrokes and shipping them off the > > > > box - > > you > > > can see what happens if your server gets compromised or if you have > > > a disgruntled employee by setting up alerts on the log correlation box. > > Plus it > > > allows a historical view of an event that bash_history doesn't > > > always - especially if the admin doesn't use a shell that has a > > > history. Auditing > > normal > > > users, however, typically isn't worth it. > > > > > > > > Rob Marti > > > > Systems Administrator > > > > Sam Houston State University > > > > 936-294-3804 // rob@xxxxxxxx > > > > > > > > > > > >> -----Original Message----- > > > >> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > > > >> bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx > > > >> Sent: Thursday, September 23, 2010 10:29 AM > > > >> To: General Red Hat Linux discussion list > > > >> Subject: RE: User Auditing > > > >> > > > >> Marti, Robert wrote: > > > >>> I haven't tried them, but do these track executing shell > > > >>> commands from inside vim or other editors? Or other ways of > running commands? > > > >>> (write a script, run it, delete the script) > > > >>> > > > >> It also strikes me as a) a great way to create an overwhelming > > > >> amount of data; b) useless - consider the user edits a script, > > > >> suspends the editing session, runs the script, forgrounds the > > > >> editing session, and undoes whatever code they put in. Oh, and c) > > > >> over-the-top Big Brother; I mean, there's oversight, and there's > > > >> this: if there's this mistrust of the employees, then perhaps > > > >> management should either hire trustworthy employees, or only > > > >> allow trusted employees to work on the > > > systems. > > > >> > > > >> mark, *not* a fan of the idea. > > > >>>> -----Original Message----- > > > >>>> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > > > >>>> bounces@xxxxxxxxxx] On Behalf Of Zbynek Vymazal > > > >>>> Sent: Thursday, September 23, 2010 9:20 AM > > > >>>> To: General Red Hat Linux discussion list > > > >>>> Subject: RE: User Auditing > > > >>>> > > > >>>> Hi Rob, > > > >>>> > > > >>>> I'm logging command history of every user to remote syslog server. > > > >>>> It requires two steps on client side: > > > >>>> > > > >>>> 1) Add following function to /etc/profile: > > > >>>> > > > >>>> function history_to_syslog > > > >>>> { > > > >>>> declare command > > > >>>> command=$(fc -ln -0) > > > >>>> logger -p local7.notice -t bash -i -- $USER : $command } > > > >>>> trap history_to_syslog DEBUG > > > >>>> > > > >>>> 2) Configure local syslog to resend logs to remote syslog > > > >>>> (/etc/syslog- > > > >>>> ng/syslog-ng.conf): > > > >>>> > > > >>>> # Send local messages to central syslog server > > > >>>> > > > >>>> filter f_filter7 { facility(local7); }; > > > >>>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log { > > > >>>> source(s_sys); filter(f_filter7); destination(d_syslog_server); > > > >>>> }; > > > >>>> > > > >>>> Best regards, > > > >>>> > > > >>>> Zbynek Vymazal > > > >>>> > > > >>>> -----Original Message----- > > > >>>> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > > > >>>> bounces@xxxxxxxxxx] On Behalf Of Rob DeSanno > > > >>>> Sent: Thursday, September 23, 2010 15:40 > > > >>>> To: General Red Hat Linux discussion list > > > >>>> Subject: User Auditing > > > >>>> > > > >>>> This should be an easy question. > > > >>>> > > > >>>> I use Logwatch on all of my RHEL servers and would like for it > > > >>>> to also report on all commands that any user had typed when > > > >>>> logged in as well. > > > >>>> Something along the lines of UID: Command to give me an idea of > > > >>>> who was doing what at any given period of time. > > > >>>> > > > >>>> I tried using snoopy but that gave me much more than I was > > > >>>> looking > > > for. > > > >>>> I'm > > > >>>> now playing around with psacct and logger but was curious to > > > >>>> know what everyone else out there uses to monitor user activity > > > >>>> besides looking into everyone history file. > > > >>>> > > > >>>> Thanks in advance! > > > >>>> ~Rob > > > >>>> -- > > > >>>> redhat-list mailing list > > > >>>> unsubscribe mailto:redhat-list- > > > >> request@xxxxxxxxxx?subject=unsubscribe > > > >>>> https://www.redhat.com/mailman/listinfo/redhat-list > > > >>>> > > > >>>> -- > > > >>>> redhat-list mailing list > > > >>>> unsubscribe mailto:redhat-list- > > > >> request@xxxxxxxxxx?subject=unsubscribe > > > >>>> https://www.redhat.com/mailman/listinfo/redhat-list > > > >>> -- > > > >>> redhat-list mailing list > > > >>> unsubscribe > > > >>> mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > > >>> https://www.redhat.com/mailman/listinfo/redhat-list > > > >>> > > > >> > > > >> -- > > > >> redhat-list mailing list > > > >> unsubscribe mailto:redhat-list- > > > request@xxxxxxxxxx?subject=unsubscribe > > > >> https://www.redhat.com/mailman/listinfo/redhat-list > > > > > > > > > -- > > > -- > > > George Magklaras > > > Senior Systems Engineer/IT Manager > > > Biotek Center, University of Oslo > > > EMBnet TMPC Chair > > > > > > http://folk.uio.no/georgios > > > > > > Tel: +47 22840535 > > > > > > > > > > > > -- > > > redhat-list mailing list > > > unsubscribe > > > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
