Steve Grubb wrote:
The real issue is that almost any attempt to audit it can be trivially
bypassed. For example, you can source a file in bash. Did it execute any
commands or just setup environmental variables? You can mmap a file that be
exec'ed by another program. The bash history can be bypassed by opening vi
and exec'ing commands directly in vi. Its a really hard problem.
Without administrator action, bash doesn't log everything anyway: each
bash takes a not of the file's history and appends from there,
potentially clobbering other history.
chattr +i fixes that, but of the user does this:
exec -l sh
then, unless there's something I've missed, commands are not logged. And
there may be other shells, perhaps despite the administrator's wishes -
IBM's DB2 used to require pdksh to install.
The best practice is to lockdown everything as a script that sudo runs. Sudo
in 5.2 will log it to the audit system. If that is not acceptable, then you
can use the audit system to get some of what they are doing, but you could
wind up with an overwhelming amount of data until you refine what you are
really after.
-Steve
35 years ago, I was a systems programmer in an OS/VS environment. OS,
back then, had a facility called SMF which could log every open, close,
(equivalent) to exec, file create, file delete, file rename and a heap
of other stuff. One couldn't tell what everyone did (that wasn't the
purpose)[1], but there were plenty of clues.
I don't see a problem with logging lots of data.
[1] The information is provided for installations to charge users for
the use of the resources.
--
Cheers
John
-- spambait
[EMAIL PROTECTED] [EMAIL PROTECTED]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list