On Saturday 20 September 2008 15:09:55 Francisco Garcia wrote: > Basically I'd like to track what user issued what command, exactly > when and logged from where (.bash_history and sudo log aren't very > useful).
sudo has been modified to send executed commands to the audit system. You should be able to use that as a first cut command logging system. > On a second tought, I'd also like to log what files where accesed by a > certain user (process "foo" launched by user "bar" that read the file > "quuz" and erased file "zilch"). Apparently that's possible with a > piece of software called audit: Yes, the RHEL5 audit system can do that, too. For example, to get mods to the shadow file: auditctl -w /etc/shadow -p wa -k shadow-write And to see if its been modified: ausearch -k shadow-write There is ongoing work to enhance the auditing of command execution. I don't know if its complete enough to be bulletproof in RHEL5.3 yet. I still have more testing to do. The real issue is that almost any attempt to audit it can be trivially bypassed. For example, you can source a file in bash. Did it execute any commands or just setup environmental variables? You can mmap a file that be exec'ed by another program. The bash history can be bypassed by opening vi and exec'ing commands directly in vi. Its a really hard problem. The best practice is to lockdown everything as a script that sudo runs. Sudo in 5.2 will log it to the audit system. If that is not acceptable, then you can use the audit system to get some of what they are doing, but you could wind up with an overwhelming amount of data until you refine what you are really after. -Steve _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
