Steve Grubb wrote:


The real issue is that almost any attempt to audit it can be trivially bypassed. For example, you can source a file in bash. Did it execute any commands or just setup environmental variables? You can mmap a file that be exec'ed by another program. The bash history can be bypassed by opening vi and exec'ing commands directly in vi. Its a really hard problem.

Without administrator action, bash doesn't log everything anyway: each bash takes a not of the file's history and appends from there, potentially clobbering other history.
chattr +i fixes that, but of the user does this:
exec -l sh
then, unless there's something I've missed, commands are not logged. And there may be other shells, perhaps despite the administrator's wishes - IBM's DB2 used to require pdksh to install.


The best practice is to lockdown everything as a script that sudo runs. Sudo in 5.2 will log it to the audit system. If that is not acceptable, then you can use the audit system to get some of what they are doing, but you could wind up with an overwhelming amount of data until you refine what you are really after.

-Steve

35 years ago, I was a systems programmer in an OS/VS environment. OS, back then, had a facility called SMF which could log every open, close, (equivalent) to exec, file create, file delete, file rename and a heap of other stuff. One couldn't tell what everyone did (that wasn't the purpose)[1], but there were plenty of clues.

I don't see a problem with logging lots of data.

[1] The information is provided for installations to charge users for the use of the resources.

--

Cheers
John

-- spambait
[EMAIL PROTECTED]  [EMAIL PROTECTED]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

Reply via email to