Let me tell you why I want this for the sake of this discussion: We have servers in our environment by which multiple people (inside and out) can issue commands as either themselves or as root (under sudo of course). While I would prefer that everything goes through me for changes, that is not practical here. I want to be informed on what these people/vendors are doing to my systems at all times and would rather know than to not know, if that makes sense. It's not 100% about security either but to give me a sense of what is happening in the environment that I am supporting. On Thu, Sep 23, 2010 at 12:43 PM, Marti, Robert <RJM002@xxxxxxxx> wrote: > Why is there a browser (text or otherwise) installed on the server? > And the pam bit that logs keystrokes to auditd does log every keypress. > And it logs the program you were typing in. > > https://bugzilla.redhat.com/show_bug.cgi?id=483086 is the functionality > I'm describing. > > Like I said - I only use it to log for root. People should not be > considering actions done as root to be private. > > Rob Marti > > > -----Original Message----- > > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > > bounces@xxxxxxxxxx] On Behalf Of Georgios Magklaras > > Sent: Thursday, September 23, 2010 11:12 AM > > To: General Red Hat Linux discussion list > > Subject: Re: User Auditing > > > > Auditing keystrokes will not always reveal the whole picture and is > VERY > > intrusive for people. How are you going to correlate (and prove) that > when > > you type something like http://www.abadsite.com , you are typing it on > the > > descriptor of the web browser and not a text word processor. Too much > > noise for the data and too much invasion to privacy, never saw the point > > really apart from folk that due keystroke based user authentication, > which is > > very error prone and it logs only some keystrokes to work, not > everything. > > > > GM > > > > On 09/23/2010 05:41 PM, Marti, Robert wrote: > > > I'm a fan of auditing root keystrokes and shipping them off the box - > you > > can see what happens if your server gets compromised or if you have a > > disgruntled employee by setting up alerts on the log correlation box. > Plus it > > allows a historical view of an event that bash_history doesn't always - > > especially if the admin doesn't use a shell that has a history. Auditing > normal > > users, however, typically isn't worth it. > > > > > > Rob Marti > > > Systems Administrator > > > Sam Houston State University > > > 936-294-3804 // rob@xxxxxxxx > > > > > > > > >> -----Original Message----- > > >> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > > >> bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx > > >> Sent: Thursday, September 23, 2010 10:29 AM > > >> To: General Red Hat Linux discussion list > > >> Subject: RE: User Auditing > > >> > > >> Marti, Robert wrote: > > >>> I haven't tried them, but do these track executing shell commands > > >>> from inside vim or other editors? Or other ways of running commands? > > >>> (write a script, run it, delete the script) > > >>> > > >> It also strikes me as a) a great way to create an overwhelming amount > > >> of data; b) useless - consider the user edits a script, suspends the > > >> editing session, runs the script, forgrounds the editing session, and > > >> undoes whatever code they put in. Oh, and c) over-the-top Big > > >> Brother; I mean, there's oversight, and there's this: if there's this > > >> mistrust of the employees, then perhaps management should either hire > > >> trustworthy employees, or only allow trusted employees to work on the > > systems. > > >> > > >> mark, *not* a fan of the idea. > > >>>> -----Original Message----- > > >>>> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > > >>>> bounces@xxxxxxxxxx] On Behalf Of Zbynek Vymazal > > >>>> Sent: Thursday, September 23, 2010 9:20 AM > > >>>> To: General Red Hat Linux discussion list > > >>>> Subject: RE: User Auditing > > >>>> > > >>>> Hi Rob, > > >>>> > > >>>> I'm logging command history of every user to remote syslog server. > > >>>> It requires two steps on client side: > > >>>> > > >>>> 1) Add following function to /etc/profile: > > >>>> > > >>>> function history_to_syslog > > >>>> { > > >>>> declare command > > >>>> command=$(fc -ln -0) > > >>>> logger -p local7.notice -t bash -i -- $USER : $command } trap > > >>>> history_to_syslog DEBUG > > >>>> > > >>>> 2) Configure local syslog to resend logs to remote syslog > > >>>> (/etc/syslog- > > >>>> ng/syslog-ng.conf): > > >>>> > > >>>> # Send local messages to central syslog server > > >>>> > > >>>> filter f_filter7 { facility(local7); }; > > >>>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log { > > >>>> source(s_sys); filter(f_filter7); destination(d_syslog_server); }; > > >>>> > > >>>> Best regards, > > >>>> > > >>>> Zbynek Vymazal > > >>>> > > >>>> -----Original Message----- > > >>>> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > > >>>> bounces@xxxxxxxxxx] On Behalf Of Rob DeSanno > > >>>> Sent: Thursday, September 23, 2010 15:40 > > >>>> To: General Red Hat Linux discussion list > > >>>> Subject: User Auditing > > >>>> > > >>>> This should be an easy question. > > >>>> > > >>>> I use Logwatch on all of my RHEL servers and would like for it to > > >>>> also report on all commands that any user had typed when logged in > > >>>> as well. > > >>>> Something along the lines of UID: Command to give me an idea of who > > >>>> was doing what at any given period of time. > > >>>> > > >>>> I tried using snoopy but that gave me much more than I was looking > > for. > > >>>> I'm > > >>>> now playing around with psacct and logger but was curious to know > > >>>> what everyone else out there uses to monitor user activity besides > > >>>> looking into everyone history file. > > >>>> > > >>>> Thanks in advance! > > >>>> ~Rob > > >>>> -- > > >>>> redhat-list mailing list > > >>>> unsubscribe mailto:redhat-list- > > >> request@xxxxxxxxxx?subject=unsubscribe > > >>>> https://www.redhat.com/mailman/listinfo/redhat-list > > >>>> > > >>>> -- > > >>>> redhat-list mailing list > > >>>> unsubscribe mailto:redhat-list- > > >> request@xxxxxxxxxx?subject=unsubscribe > > >>>> https://www.redhat.com/mailman/listinfo/redhat-list > > >>> -- > > >>> redhat-list mailing list > > >>> unsubscribe > > >>> mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > >>> https://www.redhat.com/mailman/listinfo/redhat-list > > >>> > > >> > > >> -- > > >> redhat-list mailing list > > >> unsubscribe mailto:redhat-list- > > request@xxxxxxxxxx?subject=unsubscribe > > >> https://www.redhat.com/mailman/listinfo/redhat-list > > > > > > -- > > -- > > George Magklaras > > Senior Systems Engineer/IT Manager > > Biotek Center, University of Oslo > > EMBnet TMPC Chair > > > > http://folk.uio.no/georgios > > > > Tel: +47 22840535 > > > > > > > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
