Hi Navid, in our enviromnent we need only log commands of users with administrator priviledges (PCI DSS requierement). So we disabled su usage and all command have to be done using sudo that logs every command into syslog.
Jakub On Aug 11, 6:46 am, Navid Paya <[email protected]> wrote: > Thank you Micheal. That was really insightful. I've got just one problem > here. Can auditd log all the commands that all users enter? I need such a > thing. Do you any tools that can do this and create the logs? Once I have > the log files it won't be so hard to fetch, index and audit the files. > > Navid > > On Mon, Aug 10, 2009 at 6:34 PM, Michael Altfield > <[email protected]>wrote: > > > Hi Navid, > > > I was just looking for a similar solution to satisfy sections 10.x in > > the PCI DSS. > > > OSSEC is great for a lot of things, but I wouldn't use it for auditing. > > I'd look into installing and configuring auditd on all of your linux > > machines. Then, to be able to generate your reports, I would use splunk. > > Depending on your needs, you might be able to get by with the free version. > > > Hope this helps. > > > -Michael > > > Navid Paya wrote: > > > Kudos everyone > > > I'm working in a firm specialized in providing banking services. I'm > > > working on a user control mechanism and as part of the mechanism I > > > need an auditing solution. Here are the requirements I have for my > > system: > > > 1 - Logging all the command that users enter and preferably storing > > > them on a per user basis (for instance the command log for the user > > > "navid" be stored as "navid.log" > > > 2 - The ability to search for incidents based on user, command or time > > > 3 - Ability to generate reports on a weekly, monthly, ... basis > > > I've looked into syslog, syslog-ng, ossec and open-audit but I'm > > > really not sure which one to go with. I'll be really grateful if you > > > can shed some light on my limited understanding of this whole thing. I > > > know about solution such as bash history but it just doesn't seem > > > right. I mean, it's Linux for God's sake. There has to be better way > > > to do that. And in case it matters, my distro is SuSE Linux Enterprise > > > Server 10 SP 2. > > > > Thanks in advance > > > > Navid
