On Sat, 20 Sep 2008, Francisco Garcia wrote:
Basically I'd like to track what user issued what command, exactly
when and logged from where (.bash_history and sudo log aren't very
useful).
On a second tought, I'd also like to log what files where accesed by a
certain user (process "foo" launched by user "bar" that read the file
"quuz" and erased file "zilch"). Apparently that's possible with a
piece of software called audit: aucat/augrep/etc ; but I'm pretty
confident it's not the audit package shipped in rhel5 -- can anybody
prove me wrong?.
Audit can do most of that, but it's not configured to be that detailed
by default. You can search the audit log (presuming you have auditing
running and auditd is started) by using "ausearch" - e.g. "ausearch -i -ui
0"
You can configure what audit watches in /etc/audit.rules, but to watch
"everything" a user does will be resource intensive. Currently audit is
configured to watch for modifications to sensitive files and running of
particular binaries.
--
Sam
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list