Re: root shell auditing



On Monday 28 July 2008 08:34:12 Mars Gobetti wrote:
In an effort to comply with iso 27001, Webtrust and other security
certifications I need to audit root shell usage on many linux servers:
every bash command entered in the shell ,with timestamps, and possibly
logging to a remote server. Which is the best (enterprise class) way to do
that?

Currently in our environment administrators get root shell access using
sudo -i. Do I need to change this? I've seen around sudosh (wich do the job
locally), then Enterprise Audit Shell, but it seems to me this projects are
not active any more. Will Free IPA be an answer?

Consider trying snoopy, it logs all commands that are executed by all users
and daemons - not just directly in the shell, but if you run a script from
the shell and the script calls other commands - they will all be logged. I
find that it helps with debugging sometimes, too.

A few distros package it.

http://freshmeat.net/projects/snoopy_logger/

It does not log bash internals (for example, "alias" or "source") but it will
log any commands that are run by them.

JW

--

----------------------
System Administrator - Cedar Creek Software
http://www.cedarcreeksoftware.com



Relevant Pages

  • Re: Redirection issue
    ... 1- execute input commands from standard input, ... code to implement the redirection it does not work anymore. ... And it's not good shell behavior to echo commands anyway. ...
    (comp.lang.c)
  • Re: Redirection issue
    ... 1- execute input commands from standard input, ... the phrase "it does not work anymore" carries very little meaning. ... after compilation and execution of the shell with a simple command like ...
    (comp.lang.c)
  • vulnerabilities in scponly
    ... without allowing shell access. ... scponly makes no effort to verify the path to the scp or sftp-server ... arbitrary commands by simply uploading a file. ... However, if this is *NOT* the case, the user could execute arbitrary ...
    (Bugtraq)
  • Re: Redirection issue
    ... 1- execute input commands from standard input, ... "does not work" could be anything from not compiling, not executing, ... after compilation and execution of the shell with a simple command like ...
    (comp.lang.c)
  • Re: PYTHONPATH
    ... The error indicates the shell tried to execute a program named '1' and couldn't find one. ... Arthimetic expressions generally have to be wrapped in ) in bash: ... non-interactive shell with the --login option, it first reads and executes ... commands from the file /etc/profile, ...
    (comp.lang.python)