Re: root shell auditing

From: Hari Sekhon <hpsekhon@xxxxxxxxxxxxxx>
Date: Thu, 31 Jul 2008 10:24:37 +0100

Diego Lacerda wrote:

Hi, Mars,

I think that you could use Linux Process Accounting to audit
everything that you need in a shell environment.

I've tried this, it lacks some detail if I remember correctly it doesn't log params as it was designed for process accounting, not security auditing, which could mean missing a lot as sometimes it's the parameters that make all the difference between a normal and a dangerous action.

So far for me, snoopy comes closest.

-h

--
Hari Sekhon

Follow-Ups:
- Re: root shell auditing
  - From: Marian Rudzynski
- Re: root shell auditing
  - From: Philip Turner

Next by Date: Re: root shell auditing
Next by thread: Re: root shell auditing
Index(es):
- Date
- Thread

Relevant Pages

Re: root shell auditing
... I think that you could use Linux Process Accounting to audit ... I've tried this, it lacks some detail if I remember correctly it doesn't log params as it was designed for process accounting, not security auditing, which could mean missing a lot as sometimes it's the parameters that make all the difference between a normal and a dangerous action. ... This way all root commands would either be logged or you'd be alerted to someone intentionally circumventing the logging by getting a full root shell. ...
(Focus-Linux)
Re: root shell auditing
... I think that you could use Linux Process Accounting to audit ... I've tried this, it lacks some detail if I remember correctly it doesn't log params as it was designed for process accounting, not security auditing, which could mean missing a lot as sometimes it's the parameters that make all the difference between a normal and a dangerous action. ... The Kernel accounting/audit might actually be the only real thing here though. ... So if anyone knows of any other reasonably secure and practicable way to do these things, ...
(Focus-Linux)