| Pretty cool. However, with the built in bash syslog of history, there's no way to evade and not scripting required. Of course, If you aren't using bash, then it really doesn't matter.
Another point, when I do it with the built in bash syslog of history, I make sure I don't have any other shell's installed. It's be trivial to evade if the user just runs ash/ksh/csh/tcsh :) On Nov 22, 2011, at 2:01 PM, Nils wrote:
Thanks for your valuable feedback!
I got an other neat approach off-list which I want to share with
you:
[Quote]
The step we use to pass that PCI requirement for linux is to put the
following inside of /etc/profile
PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo $$ $USER
"$(history 1)" | logger -p local2.info
-t "shell_history"'
logger being the transport to syslog/syslog-ng/rsyslog.
There are some sly tricks to evade it, but this will pass their
requirement. Just make sure the syslogging facility you use is
sending and logging it on a separate machine.
I prefer rsyslog.
[\Quote]
Cheers,
Nils
Am 21.11.2011 17:03, schrieb Nils:
Hi guys,
I´m looking into solutions to comply with PCI DSS requirement
10.2.2: (Logging: All actions taken by any individual with root
or administrative privileges) especially on Linux systems.
Therefore I´ve checked for ways to provide a shell which is
logging all actions taken.
I stumbled upon stuff like:
mkfifo myfifo; logger -f myfifo & script -f myfifo
rootsh
sudoshell (ss)
What are your experiences in this realm?
Best solution would be something done with on-board means or a
provided package of the Linux distribution, in this case Debian.
Thanks!
Nils
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Champ Clark III
(office) 904.253.7856
(mobile) 850.443.2440 (SOC) 800.538.9357 ext 101 |
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
