On Sat, 20 Sep 2008, Francisco Garcia wrote:

Basically I'd like to track what user issued what command, exactly
when and logged from where  (.bash_history and sudo log aren't very
useful).

On a second tought, I'd also like to log what files where accesed by a
certain user (process "foo" launched by user "bar" that read the file
"quuz" and erased file "zilch"). Apparently that's possible with a
piece of software called audit: aucat/augrep/etc ; but I'm pretty
confident it's not the audit package shipped in rhel5 -- can anybody
prove me wrong?.

Audit can do most of that, but it's not configured to be that detailed by default. You can search the audit log (presuming you have auditing running and auditd is started) by using "ausearch" - e.g. "ausearch -i -ui 0"

You can configure what audit watches in /etc/audit.rules, but to watch "everything" a user does will be resource intensive. Currently audit is configured to watch for modifications to sensitive files and running of particular binaries.

--
Sam

_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

Reply via email to