Re: root shell auditing

Glynn Clements wrote:
Hari Sekhon wrote:

Perhaps you could force everybody to use sudo for every command that requires root privs and have automated alerting if anyone does a direct root login or a sudo su or an sudo (/usr)?/bin/shell_of_your_choice type thing...

sudo does log properly and if all commands go through it, then you win. This way all root commands would either be logged or you'd be alerted to someone intentionally circumventing the logging by getting a full root shell.

Looking for specific commands won't work. There are just too many
"indirect" ways to execute a command.

Even if you log everything which the user types and review those logs
thoroughly, there are still ways to slip things past the reviewer,
especially if the user is allowed to use interactive programs (vi,
less, etc), or whose behaviour can be influenced by the contents of
files (which may have changed or been removed by the time that you
review the logs).

The only mechanism which won't miss anything is logging at the syscall
level, i.e. auditctl/auditd. Even that won't tell you everything
that's happening (logging read() and write() would overwhelm the
logs), but it should be enough to detect suspicious activity, and it
cannot be bypassed in the way that logging user input or commands can.
True true.

So back to the other solution I mentioned which is auditing every keystroke, input and output of every session.

But alas this is a proprietary solution.

I want an open source version of this so much...

-h

--
Hari Sekhon

Quantcast