Perhaps something like below, present in /etc/profile, set readonly to
prevent unset. I am actually using the below. Output is recorded via
syslog.
export PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo $$
$USER "$(history 1)"|logger -p user.alert -t bash_history'
readonly PROMPT_COMMAND
- evilghost
Navid Paya wrote:
> Thank you Micheal. That was really insightful. I've got just one
> problem here. Can auditd log all the commands that all users enter? I
> need such a thing. Do you any tools that can do this and create the
> logs? Once I have the log files it won't be so hard to fetch, index
> and audit the files.
>
> Navid
>
>
> On Mon, Aug 10, 2009 at 6:34 PM, Michael Altfield
> <[email protected] <mailto:[email protected]>> wrote:
>
> Hi Navid,
>
> I was just looking for a similar solution to satisfy sections 10.x in
> the PCI DSS.
>
> OSSEC is great for a lot of things, but I wouldn't use it for
> auditing.
> I'd look into installing and configuring auditd on all of your linux
> machines. Then, to be able to generate your reports, I would use
> splunk.
> Depending on your needs, you might be able to get by with the free
> version.
>
> Hope this helps.
>
> -Michael
>
> Navid Paya wrote:
> > Kudos everyone
> > I'm working in a firm specialized in providing banking services. I'm
> > working on a user control mechanism and as part of the mechanism I
> > need an auditing solution. Here are the requirements I have for
> my system:
> > 1 - Logging all the command that users enter and preferably storing
> > them on a per user basis (for instance the command log for the user
> > "navid" be stored as "navid.log"
> > 2 - The ability to search for incidents based on user, command
> or time
> > 3 - Ability to generate reports on a weekly, monthly, ... basis
> > I've looked into syslog, syslog-ng, ossec and open-audit but I'm
> > really not sure which one to go with. I'll be really grateful if you
> > can shed some light on my limited understanding of this whole
> thing. I
> > know about solution such as bash history but it just doesn't seem
> > right. I mean, it's Linux for God's sake. There has to be better way
> > to do that. And in case it matters, my distro is SuSE Linux
> Enterprise
> > Server 10 SP 2.
> >
> > Thanks in advance
> >
> > Navid
>
>
