As a quick n dirty fix. You could always set the append only bit to the file.
Chattr +a I believe it is. Not the most proper way. But will work ;D Sent from my BlackBerry device on the Rogers Wireless Network -----Original Message----- From: Navid Paya <[email protected]> Date: Tue, 18 Aug 2009 16:41:43 To: <[email protected]> Subject: [ossec-list] Re: User auditing solution Hi lads I've found what I was looking for. The "script" command can keep a list of all the commands that the user enters during a session. I just got one problem. In order to make the log usable, I need to create a file with $USER.log format for each user. For instance, my user is navid so I need a navid.log file. In order for the commands to be captured, I place this line in the /etc/profile file: script -aq /var/log/user_audit/$USER.log This will create a file like /var/log/user_audit/navid.log The problem I have is that I have to grant write permission on this file to the user and if the user finds out what's going on he can jeopardize the whole scheme. Can you think of any way to avoid this? Navid On Tue, Aug 18, 2009 at 4:25 PM, Navid Paya <[email protected]> wrote: > Thanks for all the solutions so far. I also found the script command which > is cool except for the cases when you use vi or things like that. I was > wondering how evilghost's solution works? I run it as the normal or > superuser but it doesn't print anything in a user.alert file. It doesn't > even create the file. Sorry lads, I'm not really good with scripts. > > Navid > > > > On Tue, Aug 11, 2009 at 8:10 PM, Michael Altfield <[email protected]>wrote: > >> IMHO, logging just the commands isn't sufficient enough for auditing--even >> if it does satisfy PCI (and I can't imagine that it should). >> >> You may log that a user does: >> >> vi myScript.sh >> chmod +x myScript.sh >> ./myScript.sh >> rm myScript.sh >> >> ...but you have no insight as to what 'myScript.sh' has done, and it could >> be something nasty. auditd, however, would capture all of this information. >> It may be a little unclear at first what commands are run, but, honestly, I >> don't care if the user used 'vi' or 'emacs'--I just want to know that the >> file was edited; that's what auditd will provide. >> >> If you still want to see their commands, I would use evilghost's solution >> sent to splunk in additon to the auditd + splunk solution. >> >> >> Cheers, >> Micheal Altfield >> >> >> On Tue, Aug 11, 2009 at 8:23 AM, Jakub Moravek >> <[email protected]>wrote: >> >>> >>> Hi Navid, >>> in our enviromnent we need only log commands of users with >>> administrator priviledges (PCI DSS requierement). So we disabled su >>> usage and all command have to be done using sudo that logs every >>> command into syslog. >>> >>> Jakub >>> >>> On Aug 11, 6:46 am, Navid Paya <[email protected]> wrote: >>> > Thank you Micheal. That was really insightful. I've got just one >>> problem >>> > here. Can auditd log all the commands that all users enter? I need such >>> a >>> > thing. Do you any tools that can do this and create the logs? Once I >>> have >>> > the log files it won't be so hard to fetch, index and audit the files. >>> > >>> > Navid >>> > >>> > On Mon, Aug 10, 2009 at 6:34 PM, Michael Altfield >>> > <[email protected]>wrote: >>> > >>> > > Hi Navid, >>> > >>> > > I was just looking for a similar solution to satisfy sections 10.x in >>> > > the PCI DSS. >>> > >>> > > OSSEC is great for a lot of things, but I wouldn't use it for >>> auditing. >>> > > I'd look into installing and configuring auditd on all of your linux >>> > > machines. Then, to be able to generate your reports, I would use >>> splunk. >>> > > Depending on your needs, you might be able to get by with the free >>> version. >>> > >>> > > Hope this helps. >>> > >>> > > -Michael >>> > >>> > > Navid Paya wrote: >>> > > > Kudos everyone >>> > > > I'm working in a firm specialized in providing banking services. >>> I'm >>> > > > working on a user control mechanism and as part of the mechanism I >>> > > > need an auditing solution. Here are the requirements I have for my >>> > > system: >>> > > > 1 - Logging all the command that users enter and preferably storing >>> > > > them on a per user basis (for instance the command log for the user >>> > > > "navid" be stored as "navid.log" >>> > > > 2 - The ability to search for incidents based on user, command or >>> time >>> > > > 3 - Ability to generate reports on a weekly, monthly, ... basis >>> > > > I've looked into syslog, syslog-ng, ossec and open-audit but I'm >>> > > > really not sure which one to go with. I'll be really grateful if >>> you >>> > > > can shed some light on my limited understanding of this whole >>> thing. I >>> > > > know about solution such as bash history but it just doesn't seem >>> > > > right. I mean, it's Linux for God's sake. There has to be better >>> way >>> > > > to do that. And in case it matters, my distro is SuSE Linux >>> Enterprise >>> > > > Server 10 SP 2. >>> > >>> > > > Thanks in advance >>> > >>> > > > Navid >>> >> >> >
