On Monday, July 16, 2012 10:05:48 AM Florian Crouzat wrote: > Le 13/07/2012 19:09, Boyce, Kevin P (AS) a écrit : > > Wouldn't another option be to audit the exec of particular executables you > > are interested in knowing if someone runs? Obviously you won't know what > > they are typing into text documents and such, but is that really > > required? Most places don't allow key loggers at all and it sounds like > > that's what you've got. > Nop that's not required, what is required is to log every > root-privileged actions, sudo goes in /var/log/secure,
Sudo also goes into the audit log so that you have a high integrity source for what it was commanded to do. > real root shells nowhere. The only solution I found was with pam_audit_tty > that has the side effect to log every keystroke but I'm open to other > solutions, creating a list of binary to watch cannot be one. One possibility is to write a simple event handler that watches for keystroke logging and does the filtering before writing to its own log file. Remember the audit system has a realtime interface and a parsing library so that dispatcher utilities can easily be created. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
