Thanks for all the solutions so far. I also found the script command which is cool except for the cases when you use vi or things like that. I was wondering how evilghost's solution works? I run it as the normal or superuser but it doesn't print anything in a user.alert file. It doesn't even create the file. Sorry lads, I'm not really good with scripts.
Navid On Tue, Aug 11, 2009 at 8:10 PM, Michael Altfield <[email protected]>wrote: > IMHO, logging just the commands isn't sufficient enough for auditing--even > if it does satisfy PCI (and I can't imagine that it should). > > You may log that a user does: > > vi myScript.sh > chmod +x myScript.sh > ./myScript.sh > rm myScript.sh > > ...but you have no insight as to what 'myScript.sh' has done, and it could > be something nasty. auditd, however, would capture all of this information. > It may be a little unclear at first what commands are run, but, honestly, I > don't care if the user used 'vi' or 'emacs'--I just want to know that the > file was edited; that's what auditd will provide. > > If you still want to see their commands, I would use evilghost's solution > sent to splunk in additon to the auditd + splunk solution. > > > Cheers, > Micheal Altfield > > > On Tue, Aug 11, 2009 at 8:23 AM, Jakub Moravek <[email protected]>wrote: > >> >> Hi Navid, >> in our enviromnent we need only log commands of users with >> administrator priviledges (PCI DSS requierement). So we disabled su >> usage and all command have to be done using sudo that logs every >> command into syslog. >> >> Jakub >> >> On Aug 11, 6:46 am, Navid Paya <[email protected]> wrote: >> > Thank you Micheal. That was really insightful. I've got just one problem >> > here. Can auditd log all the commands that all users enter? I need such >> a >> > thing. Do you any tools that can do this and create the logs? Once I >> have >> > the log files it won't be so hard to fetch, index and audit the files. >> > >> > Navid >> > >> > On Mon, Aug 10, 2009 at 6:34 PM, Michael Altfield >> > <[email protected]>wrote: >> > >> > > Hi Navid, >> > >> > > I was just looking for a similar solution to satisfy sections 10.x in >> > > the PCI DSS. >> > >> > > OSSEC is great for a lot of things, but I wouldn't use it for >> auditing. >> > > I'd look into installing and configuring auditd on all of your linux >> > > machines. Then, to be able to generate your reports, I would use >> splunk. >> > > Depending on your needs, you might be able to get by with the free >> version. >> > >> > > Hope this helps. >> > >> > > -Michael >> > >> > > Navid Paya wrote: >> > > > Kudos everyone >> > > > I'm working in a firm specialized in providing banking services. I'm >> > > > working on a user control mechanism and as part of the mechanism I >> > > > need an auditing solution. Here are the requirements I have for my >> > > system: >> > > > 1 - Logging all the command that users enter and preferably storing >> > > > them on a per user basis (for instance the command log for the user >> > > > "navid" be stored as "navid.log" >> > > > 2 - The ability to search for incidents based on user, command or >> time >> > > > 3 - Ability to generate reports on a weekly, monthly, ... basis >> > > > I've looked into syslog, syslog-ng, ossec and open-audit but I'm >> > > > really not sure which one to go with. I'll be really grateful if you >> > > > can shed some light on my limited understanding of this whole thing. >> I >> > > > know about solution such as bash history but it just doesn't seem >> > > > right. I mean, it's Linux for God's sake. There has to be better way >> > > > to do that. And in case it matters, my distro is SuSE Linux >> Enterprise >> > > > Server 10 SP 2. >> > >> > > > Thanks in advance >> > >> > > > Navid >> > >
