Re: root shell auditing



Diego Lacerda wrote:
Hi, Mars,

I think that you could use Linux Process Accounting to audit
everything that you need in a shell environment.
I've tried this, it lacks some detail if I remember correctly it doesn't log params as it was designed for process accounting, not security auditing, which could mean missing a lot as sometimes it's the parameters that make all the difference between a normal and a dangerous action.

So far for me, snoopy comes closest.

-h

--
Hari Sekhon



Relevant Pages

  • Re: root shell auditing
    ... I think that you could use Linux Process Accounting to audit ... I've tried this, it lacks some detail if I remember correctly it doesn't log params as it was designed for process accounting, not security auditing, which could mean missing a lot as sometimes it's the parameters that make all the difference between a normal and a dangerous action. ... This way all root commands would either be logged or you'd be alerted to someone intentionally circumventing the logging by getting a full root shell. ...
    (Focus-Linux)
  • Re: root shell auditing
    ... I think that you could use Linux Process Accounting to audit ... I've tried this, it lacks some detail if I remember correctly it doesn't log params as it was designed for process accounting, not security auditing, which could mean missing a lot as sometimes it's the parameters that make all the difference between a normal and a dangerous action. ... The Kernel accounting/audit might actually be the only real thing here though. ... So if anyone knows of any other reasonably secure and practicable way to do these things, ...
    (Focus-Linux)