Hi
I have found one of the way may be not one of the best ways.
1) Edit the /etc/profile and use the logger facility to log the types
command to /var/log/messages or some other facility by
if [ "$BASH" ]; then
export TMOUT=300
fi
function history_to_syslog
{
declare cmd
cmd=$(fc -ln -0)
logger -p local7.notice — SESSION = $$, CMD =$cmd
}
trap history_to_syslog DEBUG
2) Make rules in local_rules.xml to monitor the command or do some
correlation as per your need.
It might not be a flawless method as any one can alter bash profile
which you can monitor through integriy check. It may server some
purposes ;-)
Regards
Gagan
On Mar 22, 5:21 pm, "Iñaki R." <[email protected]> wrote:
> Hi Gagan,
>
> I'm not using it but you have two options:
>
> - Add history files to your ossec config and make rules for monitor
> some "ugly" commands.
> - Also you could use SeLinux to audit commands, I can't remember what
> you need but I suppose google is waiting for you :)
>
> Greetings
>
> I aki R.
>
>
>
> Gags wrote:
> > Dear All
>
> > Is anyone is using ossec to monitor root activity ( activity done by
> > root in terms of command executed). Otherwise if anyone can enlighten
> > with the idea how to achieve the same
>
> > Regards
> > Gagan Bhatia
>
> > To unsubscribe from this group, send email to
> > ossec-list+unsubscribegooglegroups.com or reply to this email with the
> > words "REMOVE ME" as the subject.- Hide quoted text -
>
> - Show quoted text -
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
"REMOVE ME" as the subject.
