-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/10/2013 11:48 AM, Josh Bitto wrote: > Igor, > > Thank you for all your insight. I have taken those suggestions already into consideration before starting this topic. Mysql history has already been taken care of ;) > Anywho...I think it would still be a good practice audit/analysis technique to do this type of logging. >
We do this in production environments as well (full syslog command line logging). We protect the logs (ie - "root" readable only) and send syslog off to a centralized syslog server. We do this not only for auditing purposes, but so we can also analyze the syslog/commands line via Sagan (plug, I'm the author of Sagan - http://sagan.quadrantsec.com). For example, we don't expect our admin's to compile code on production system. So, someone attempting to execute gcc/make/etc, might raise a flag. Or perhaps someone trying to set the command line history to /dev/null.... or execution of nmap.. might raise a alert... Things a normal "admin" wouldn't be doing on our production systems. See https://github.com/beave/sagan-rules/blob/master/bash.rules for some examples. Is it appropriate everywhere? Probably not and there are limitation. You just have to make that call per/environment basis. - -- - - Quadrant Information Security Champ Clark III o: 800.538.9357 x 101 c: 850.443.2440 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRZY09AAoJENnmXt7Lmc3KU8UIAIN8MbF42VPCXu8HJTM8Qa7Z qoaTn+uXkQCdsgn2jmoZOayBhlshVLJ1ChntAKCfuJ9aXVFKtvFKMYb4NERoBasC Tmi5bYPiOpM+JCXFyKLxL4qAiujEvQCRQ/Y7f6rhL+jG0jCbC0IexMI0/g8HyA/O rcvwhgaqVZHY8NR/azMfIsWg2Kxc5mAxCBgE/uhg//gw1/tXLvDbvj5B8cvW5eHk +AibcJt5jKtcB3PVqY7ZGZ8RuhYCY0UuXLH5jg+YyrNNlPpj21zcWjmMdUDxuc1x ts0H84K3MVLwYTSKU0fIJMvmmg1YdTdpbI/RsgBh1UooauLMO7v6851VcCitVyc= =XGaW -----END PGP SIGNATURE----- _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
