IMHO, logging just the commands isn't sufficient enough for auditing--even if it does satisfy PCI (and I can't imagine that it should).
You may log that a user does: vi myScript.sh chmod +x myScript.sh ./myScript.sh rm myScript.sh ...but you have no insight as to what 'myScript.sh' has done, and it could be something nasty. auditd, however, would capture all of this information. It may be a little unclear at first what commands are run, but, honestly, I don't care if the user used 'vi' or 'emacs'--I just want to know that the file was edited; that's what auditd will provide. If you still want to see their commands, I would use evilghost's solution sent to splunk in additon to the auditd + splunk solution. Cheers, Micheal Altfield On Tue, Aug 11, 2009 at 8:23 AM, Jakub Moravek <[email protected]>wrote: > > Hi Navid, > in our enviromnent we need only log commands of users with > administrator priviledges (PCI DSS requierement). So we disabled su > usage and all command have to be done using sudo that logs every > command into syslog. > > Jakub > > On Aug 11, 6:46 am, Navid Paya <[email protected]> wrote: > > Thank you Micheal. That was really insightful. I've got just one problem > > here. Can auditd log all the commands that all users enter? I need such a > > thing. Do you any tools that can do this and create the logs? Once I have > > the log files it won't be so hard to fetch, index and audit the files. > > > > Navid > > > > On Mon, Aug 10, 2009 at 6:34 PM, Michael Altfield > > <[email protected]>wrote: > > > > > Hi Navid, > > > > > I was just looking for a similar solution to satisfy sections 10.x in > > > the PCI DSS. > > > > > OSSEC is great for a lot of things, but I wouldn't use it for auditing. > > > I'd look into installing and configuring auditd on all of your linux > > > machines. Then, to be able to generate your reports, I would use > splunk. > > > Depending on your needs, you might be able to get by with the free > version. > > > > > Hope this helps. > > > > > -Michael > > > > > Navid Paya wrote: > > > > Kudos everyone > > > > I'm working in a firm specialized in providing banking services. I'm > > > > working on a user control mechanism and as part of the mechanism I > > > > need an auditing solution. Here are the requirements I have for my > > > system: > > > > 1 - Logging all the command that users enter and preferably storing > > > > them on a per user basis (for instance the command log for the user > > > > "navid" be stored as "navid.log" > > > > 2 - The ability to search for incidents based on user, command or > time > > > > 3 - Ability to generate reports on a weekly, monthly, ... basis > > > > I've looked into syslog, syslog-ng, ossec and open-audit but I'm > > > > really not sure which one to go with. I'll be really grateful if you > > > > can shed some light on my limited understanding of this whole thing. > I > > > > know about solution such as bash history but it just doesn't seem > > > > right. I mean, it's Linux for God's sake. There has to be better way > > > > to do that. And in case it matters, my distro is SuSE Linux > Enterprise > > > > Server 10 SP 2. > > > > > > Thanks in advance > > > > > > Navid >
