Re: root shell auditing


Hari Sekhon wrote:

Perhaps you could force everybody to use sudo for every command that
requires root privs and have automated alerting if anyone does a direct
root login or a sudo su or an sudo (/usr)?/bin/shell_of_your_choice type
thing...

sudo does log properly and if all commands go through it, then you win.
This way all root commands would either be logged or you'd be alerted to
someone intentionally circumventing the logging by getting a full root
shell.

Looking for specific commands won't work. There are just too many
"indirect" ways to execute a command.

Even if you log everything which the user types and review those logs
thoroughly, there are still ways to slip things past the reviewer,
especially if the user is allowed to use interactive programs (vi,
less, etc), or whose behaviour can be influenced by the contents of
files (which may have changed or been removed by the time that you
review the logs).

The only mechanism which won't miss anything is logging at the syscall
level, i.e. auditctl/auditd. Even that won't tell you everything
that's happening (logging read() and write() would overwhelm the
logs), but it should be enough to detect suspicious activity, and it
cannot be bypassed in the way that logging user input or commands can.

--
Glynn Clements <glynn@xxxxxxxxxxxxxxxxxx>

Quantcast