Re: root shell auditing



On 31 Jul 2008 at 10:24, Hari Sekhon wrote:

Diego Lacerda wrote:
Hi, Mars,

I think that you could use Linux Process Accounting to audit
everything that you need in a shell environment.

I've tried this, it lacks some detail if I remember correctly it doesn't
log params as it was designed for process accounting, not security
auditing, which could mean missing a lot as sometimes it's the
parameters that make all the difference between a normal and a dangerous
action.


I'll just play play devil's advocate for a moment here, and
suggest that as you log more and more detail you increase the
risk that you'll include sensitive information that shouldn't be
revealed to whoever reviews the security logs. Eventually you've
just replaced the need to trust the admins with the need to
trust the security reviewers.

(I'm not saying you've reached this point yet, just that it's
something to think about each time you up the level of detail.)


So far for me, snoopy comes closest.

-h

--
Hari Sekhon



--
Phil Turner

Computers have no common sense - _we_users_ need to supply that.



Relevant Pages

  • Re: root shell auditing
    ... I've tried this, it lacks some detail if I remember correctly it doesn't log params as it was designed for process accounting, not security auditing, which could mean missing a lot as sometimes it's the parameters that make all the difference between a normal and a dangerous action. ... Developers use the command line too and often aren't anywhere near as smart or industry educated as they think they are which is why sometimes it's very handy if you can check on what they've done. ... If you make a mistake once, ok it's a typo, but he did the same thing the next day too so I had to tell him to be more careful, which I could since I had proof it was his fault (I had his cwd as well in this case to match against the relatives. ...
    (Focus-Linux)
  • Re: Security Patches to the Linux Kernel
    ... Security Patches to the Linux Kernel ... the ruleset is built makes anything you've done with a packet filter seem ... Packet filters, TCP wrappers, log collection, log analysis, file integrity ...
    (Focus-Linux)