Hi lads
Thanks for all your help so far. I don't think I could have managed to a
10th of that on my own. I chose to go with evilghost's suggestion since it
worked seamlessly.
export PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo $$ $USER
"$(history 1)"|logger -p user.alert -t bash_history'
readonly PROMPT_COMMAND
Now I got to things to wrap it up. First I need the the user inputs to be
logged to /var/log/user.log file instead of /var/log/messages . I tried to
define a facility in /etc/syslog-ng/syslog-ng.conf but it doesn't work. Any
ideas?
And second I as mentioned by some of the lads before if the user creates a
file and executes the file and removes it afterwards we have no idea what
the file contained. I know I have to this part by auditd but I got no clue
how. Can you give me a hint on this part as well? And is it just my feeling
or auditd is not documented well at all? I can't find any good samples on
web. Thanks for all your help as always.Navid On Wed, Aug 19, 2009 at 1:55 AM, Michael Starks < [email protected]> wrote: > > > On Tue, 11 Aug 2009 05:23:41 -0700 (PDT), Jakub Moravek > <[email protected]> wrote: > > Hi Navid, > > in our enviromnent we need only log commands of users with > > administrator priviledges (PCI DSS requierement). So we disabled su > > usage and all command have to be done using sudo that logs every > > command into syslog. > > You mean, like "sudo su -" :) > > -- > Michael Starks > [I] Immutable Security > http://www.immutablesecurity.com > Information Security, Privacy and Personal Liberty >
