Re: root shell auditing



Hari Sekhon wrote:
Diego Lacerda wrote:
Hi, Mars,

I think that you could use Linux Process Accounting to audit
everything that you need in a shell environment.
I've tried this, it lacks some detail if I remember correctly it doesn't log params as it was designed for process accounting, not security auditing, which could mean missing a lot as sometimes it's the parameters that make all the difference between a normal and a dangerous action.

So far for me, snoopy comes closest.

-h

The Kernel accounting/audit might actually be the only real thing here though.

I'm currently in need of a thourough accouting/auditing setup myself and I haven't managed to find anything that does the job as needed (e.g. secure)

Snoopy hasn't been maintained for a long time and segfaults on x86_64, "linuxbsm" (an attempt to create a Linux Basic Security Module) hasn't been maintained since 2001 either and bash patches just won't suffice.

So if anyone knows of any other reasonably secure and practicable way to do these things, recommend it. My guess is kernel accounting/audit is the way to go however.