At this point, somewhat. Right now they are co-managed and they are assisting us in building the application layer on it which sometimes requires root access. On Thu, Sep 23, 2010 at 2:32 PM, <m.roth@xxxxxxxxx> wrote: > Rob DeSanno wrote: > > Let me tell you why I want this for the sake of this discussion: > > > > We have servers in our environment by which multiple people (inside and > > out) > > can issue commands as either themselves or as root (under sudo of > course). > > While I would prefer that everything goes through me for changes, that is > > not practical here. I want to be informed on what these people/vendors > are > > doing to my systems at all times and would rather know than to not know, > > if that makes sense. It's not 100% about security either but to give me a > > sense of what is happening in the environment that I am supporting. > > Have you already limited what commands some of these folks can use with > /etc/sudoers? > > mark > > > > On Thu, Sep 23, 2010 at 12:43 PM, Marti, Robert <RJM002@xxxxxxxx> wrote: > > > >> Why is there a browser (text or otherwise) installed on the server? > >> And the pam bit that logs keystrokes to auditd does log every keypress. > >> And it logs the program you were typing in. > >> > >> https://bugzilla.redhat.com/show_bug.cgi?id=483086 is the functionality > >> I'm describing. > >> > >> Like I said - I only use it to log for root. People should not be > >> considering actions done as root to be private. > >> > >> Rob Marti > >> > >> > -----Original Message----- > >> > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > >> > bounces@xxxxxxxxxx] On Behalf Of Georgios Magklaras > >> > Sent: Thursday, September 23, 2010 11:12 AM > >> > To: General Red Hat Linux discussion list > >> > Subject: Re: User Auditing > >> > > >> > Auditing keystrokes will not always reveal the whole picture and is > >> VERY > >> > intrusive for people. How are you going to correlate (and prove) that > >> when > >> > you type something like http://www.abadsite.com , you are typing it > on > >> the > >> > descriptor of the web browser and not a text word processor. Too much > >> > noise for the data and too much invasion to privacy, never saw the > >> point > >> > really apart from folk that due keystroke based user authentication, > >> which is > >> > very error prone and it logs only some keystrokes to work, not > >> everything. > >> > > >> > GM > >> > > >> > On 09/23/2010 05:41 PM, Marti, Robert wrote: > >> > > I'm a fan of auditing root keystrokes and shipping them off the box > >> - > >> you > >> > can see what happens if your server gets compromised or if you have a > >> > disgruntled employee by setting up alerts on the log correlation box. > >> Plus it > >> > allows a historical view of an event that bash_history doesn't always > >> - > >> > especially if the admin doesn't use a shell that has a history. > >> Auditing > >> normal > >> > users, however, typically isn't worth it. > >> > > > >> > > Rob Marti > >> > > Systems Administrator > >> > > Sam Houston State University > >> > > 936-294-3804 // rob@xxxxxxxx > >> > > > >> > > > >> > >> -----Original Message----- > >> > >> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > >> > >> bounces@xxxxxxxxxx] On Behalf Of m.roth@xxxxxxxxx > >> > >> Sent: Thursday, September 23, 2010 10:29 AM > >> > >> To: General Red Hat Linux discussion list > >> > >> Subject: RE: User Auditing > >> > >> > >> > >> Marti, Robert wrote: > >> > >>> I haven't tried them, but do these track executing shell commands > >> > >>> from inside vim or other editors? Or other ways of running > >> commands? > >> > >>> (write a script, run it, delete the script) > >> > >>> > >> > >> It also strikes me as a) a great way to create an overwhelming > >> amount > >> > >> of data; b) useless - consider the user edits a script, suspends > >> the > >> > >> editing session, runs the script, forgrounds the editing session, > >> and > >> > >> undoes whatever code they put in. Oh, and c) over-the-top Big > >> > >> Brother; I mean, there's oversight, and there's this: if there's > >> this > >> > >> mistrust of the employees, then perhaps management should either > >> hire > >> > >> trustworthy employees, or only allow trusted employees to work on > >> the > >> > systems. > >> > >> > >> > >> mark, *not* a fan of the idea. > >> > >>>> -----Original Message----- > >> > >>>> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > >> > >>>> bounces@xxxxxxxxxx] On Behalf Of Zbynek Vymazal > >> > >>>> Sent: Thursday, September 23, 2010 9:20 AM > >> > >>>> To: General Red Hat Linux discussion list > >> > >>>> Subject: RE: User Auditing > >> > >>>> > >> > >>>> Hi Rob, > >> > >>>> > >> > >>>> I'm logging command history of every user to remote syslog > >> server. > >> > >>>> It requires two steps on client side: > >> > >>>> > >> > >>>> 1) Add following function to /etc/profile: > >> > >>>> > >> > >>>> function history_to_syslog > >> > >>>> { > >> > >>>> declare command > >> > >>>> command=$(fc -ln -0) > >> > >>>> logger -p local7.notice -t bash -i -- $USER : $command } trap > >> > >>>> history_to_syslog DEBUG > >> > >>>> > >> > >>>> 2) Configure local syslog to resend logs to remote syslog > >> > >>>> (/etc/syslog- > >> > >>>> ng/syslog-ng.conf): > >> > >>>> > >> > >>>> # Send local messages to central syslog server > >> > >>>> > >> > >>>> filter f_filter7 { facility(local7); }; > >> > >>>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log { > >> > >>>> source(s_sys); filter(f_filter7); destination(d_syslog_server); > >> }; > >> > >>>> > >> > >>>> Best regards, > >> > >>>> > >> > >>>> Zbynek Vymazal > >> > >>>> > >> > >>>> -----Original Message----- > >> > >>>> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > >> > >>>> bounces@xxxxxxxxxx] On Behalf Of Rob DeSanno > >> > >>>> Sent: Thursday, September 23, 2010 15:40 > >> > >>>> To: General Red Hat Linux discussion list > >> > >>>> Subject: User Auditing > >> > >>>> > >> > >>>> This should be an easy question. > >> > >>>> > >> > >>>> I use Logwatch on all of my RHEL servers and would like for it to > >> > >>>> also report on all commands that any user had typed when logged > >> in > >> > >>>> as well. > >> > >>>> Something along the lines of UID: Command to give me an idea of > >> who > >> > >>>> was doing what at any given period of time. > >> > >>>> > >> > >>>> I tried using snoopy but that gave me much more than I was > >> looking > >> > for. > >> > >>>> I'm > >> > >>>> now playing around with psacct and logger but was curious to know > >> > >>>> what everyone else out there uses to monitor user activity > >> besides > >> > >>>> looking into everyone history file. > >> > >>>> > >> > >>>> Thanks in advance! > >> > >>>> ~Rob > >> > >>>> -- > >> > >>>> redhat-list mailing list > >> > >>>> unsubscribe mailto:redhat-list- > >> > >> request@xxxxxxxxxx?subject=unsubscribe > >> > >>>> https://www.redhat.com/mailman/listinfo/redhat-list > >> > >>>> > >> > >>>> -- > >> > >>>> redhat-list mailing list > >> > >>>> unsubscribe mailto:redhat-list- > >> > >> request@xxxxxxxxxx?subject=unsubscribe > >> > >>>> https://www.redhat.com/mailman/listinfo/redhat-list > >> > >>> -- > >> > >>> redhat-list mailing list > >> > >>> unsubscribe > >> > >>> mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > >> > >>> https://www.redhat.com/mailman/listinfo/redhat-list > >> > >>> > >> > >> > >> > >> -- > >> > >> redhat-list mailing list > >> > >> unsubscribe mailto:redhat-list- > >> > request@xxxxxxxxxx?subject=unsubscribe > >> > >> https://www.redhat.com/mailman/listinfo/redhat-list > >> > > >> > > >> > -- > >> > -- > >> > George Magklaras > >> > Senior Systems Engineer/IT Manager > >> > Biotek Center, University of Oslo > >> > EMBnet TMPC Chair > >> > > >> > http://folk.uio.no/georgios > >> > > >> > Tel: +47 22840535 > >> > > >> > > >> > > >> > -- > >> > redhat-list mailing list > >> > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > >> > https://www.redhat.com/mailman/listinfo/redhat-list > >> > >> -- > >> redhat-list mailing list > >> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > >> https://www.redhat.com/mailman/listinfo/redhat-list > >> > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
