RE: root shell auditing



Hi Marc,

In addition to auditd you could also use the "script" command as this records not only what was typed but what the response was as
well. By adding this as a login shell or as the last line of the /etc/profile script you can trigger it when someone logs in.
Everything after that, including su/sudo etc will be logged.

See the man page on script for how to save the log and timing info to other locations.

Rgds,

Simon

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Mars Gobetti
Sent: Monday, July 28, 2008 15:34
To: focus-linux
Subject: root shell auditing

In an effort to comply with iso 27001, Webtrust and other security certifications I need to audit root shell usage on many linux
servers: every bash command entered in the shell ,with timestamps, and possibly logging to a remote server.
Which is the best (enterprise class) way to do that?

Currently in our environment administrators get root shell access using sudo -i. Do I need to change this?
I've seen around sudosh (wich do the job locally), then Enterprise Audit Shell, but it seems to me this projects are not active any
more.
Will Free IPA be an answer?

Thank you,

Mars Gobetti

Attachment: smime.p7s
Description: S/MIME cryptographic signature



Relevant Pages