RE: root shell auditing



TJ,

I'd be interested in this, as well. I have a new junior admin, and if
anything were to break, I'd be able to trace it back.

Thanks,

David Bruce

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Dan Hanman
Sent: Wednesday, July 30, 2008 3:28 AM
To: TJ Easter; Mars Gobetti
Cc: focus-linux
Subject: RE: root shell auditing

Hey TJ,

I think this would be a great and very useful tool. Could you post is
somewhere where we/I can also download?

Regards

Dan

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of TJ Easter
Sent: 29 July 2008 11:01
To: Mars Gobetti
Cc: focus-linux
Subject: Re: root shell auditing

Mars,
Not sure if it's an exact fit, but I put together a small patch
against bash 3.x a while back for someone that logs all commands to
syslog. It hooks the commands as they're being logged into bash's
history buffer, so a (remote) syslog can capture commands in real
time.

I don't recall what all it logged. I believe UID, $PWD, and
command. Timestamp came from syslog.

Let me know if you're interested, I'll dig around for the .diff
and send it to you.


Regards,
TJ Easter

On Mon, Jul 28, 2008 at 8:34 AM, Mars Gobetti <erresei6@xxxxxxxxx>
wrote:
In an effort to comply with iso 27001, Webtrust and other security
certifications I need to audit root shell usage on many linux servers:
every bash command entered in the shell ,with timestamps, and possibly
logging to a remote server.
Which is the best (enterprise class) way to do that?

Currently in our environment administrators get root shell access
using sudo -i. Do I need to change this?
I've seen around sudosh (wich do the job locally), then Enterprise
Audit Shell, but it seems to me this projects are not active any more.
Will Free IPA be an answer?

Thank you,

Mars Gobetti





--
"Being a humanist means trying to behave decently without expectation
of rewards or punishment after you are dead." -- Kurt Vonnegut, 1922 -
2007
http://keyserver1.pgp.com/vkd/DownloadKey.event?keyid=0x5EB6E92FE2340DEF


No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.5.6/1579 - Release Date:
29/07/2008 06:43



Relevant Pages

  • [opensuse] Re: chrony and hwclock
    ... Anton Aylward wrote: ... This is not about interactive observation of time with commands ... actually the exact timestamp in the ... syslog message that ntpd has been started. ...
    (SuSE)
  • RE: root shell auditing
    ... On Behalf Of TJ Easter ... It hooks the commands as they're being logged into bash's ... so a syslog can capture commands in real ... Currently in our environment administrators get root shell access ...
    (Focus-Linux)
  • Re: How to eliminate the igd17223i message from the syslog under sdsf.
    ... Kentucky Farm Bureau Insurance - Louisville ... How to eliminate the igd17223i message from the syslog ... you an edit session showing all syslog content since the last syslog ... All ISPF edit commands are available then. ...
    (bit.listserv.ibm-main)
  • Re: Need help moving from 10.4 to 10.5
    ... is okay for one or two commands, but not for any heavy work. ... If you want a root shell, all you need is one single sudo ... Please send all responses to the relevant news group. ... read posts from Google Groups. ...
    (comp.sys.mac.misc)
  • Re: Apache and suexec issue that wont let me run my python script
    ... by executing .bash_history commands issued are cleared. ... What abiut 'syslog' that Heiko mentioned. ... Since you didn't hurm the system why the need of wipe clean bash's history? ... Removed all logfile traces of having done so ...
    (comp.lang.python)