On Saturday 20 September 2008 15:09:55 Francisco Garcia wrote:
> Basically I'd like to track what user issued what command, exactly
> when and logged from where  (.bash_history and sudo log aren't very
> useful).

sudo has been modified to send executed commands to the audit system. You 
should be able to use that as a first cut command logging system.


> On a second tought, I'd also like to log what files where accesed by a
> certain user (process "foo" launched by user "bar" that read the file
> "quuz" and erased file "zilch"). Apparently that's possible with a
> piece of software called audit:

Yes, the RHEL5 audit system can do that, too. For example, to get mods to the 
shadow file:

auditctl  -w /etc/shadow  -p wa  -k shadow-write

And to see if its been modified:

ausearch -k shadow-write

There is ongoing work to enhance the auditing of command execution. I don't 
know if its complete enough to be bulletproof in RHEL5.3 yet. I still have 
more testing to do.

The real issue is that almost any attempt to audit it can be trivially 
bypassed. For example, you can source a file  in bash. Did it execute any 
commands or just setup environmental variables? You can mmap a file that be 
exec'ed by another program.  The bash history can be bypassed by opening vi 
and exec'ing commands directly in vi. Its a really hard problem.

The best practice is to lockdown everything as a script that sudo runs. Sudo 
in 5.2 will log it to the audit system. If that is not acceptable, then you 
can use the audit system to get some of what they are doing, but you could 
wind up with an overwhelming amount of data until you refine what you are 
really after.

-Steve

_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

Reply via email to