Re: root shell auditing




Hari Sekhon wrote:

Perhaps you could force everybody to use sudo for every command that
requires root privs and have automated alerting if anyone does a direct
root login or a sudo su or an sudo (/usr)?/bin/shell_of_your_choice type
thing...

sudo does log properly and if all commands go through it, then you win.
This way all root commands would either be logged or you'd be alerted to
someone intentionally circumventing the logging by getting a full root
shell.

Looking for specific commands won't work. There are just too many
"indirect" ways to execute a command.

Even if you log everything which the user types and review those logs
thoroughly, there are still ways to slip things past the reviewer,
especially if the user is allowed to use interactive programs (vi,
less, etc), or whose behaviour can be influenced by the contents of
files (which may have changed or been removed by the time that you
review the logs).

The only mechanism which won't miss anything is logging at the syscall
level, i.e. auditctl/auditd. Even that won't tell you everything
that's happening (logging read() and write() would overwhelm the
logs), but it should be enough to detect suspicious activity, and it
cannot be bypassed in the way that logging user input or commands can.

--
Glynn Clements <glynn@xxxxxxxxxxxxxxxxxx>



Relevant Pages

  • Re: User Auditing
    ... requires root access. ... Have you already limited what commands some of these folks can use with ... And the pam bit that logs keystrokes to auditd does log every keypress. ... Subject: User Auditing ...
    (RedHat)
  • Re: Change Permissions on a new hard drive to allow write...Problem Solved
    ... Please tell how I could have solved the problem without logging in as ... You'd use sudo or one of its graphical derivatives, ... Those three commands could have been used to do everything you did ... logging in as root. ...
    (Ubuntu)
  • Re: logging buffered vs. logging history
    ... I need the commands only to store the syslogs at my ... logging buffered logs messages into a small wrap-around in-memory ... logging trap does not send SNMP-traps on a PIX: ... the logs [this is for the security theory that traffic that cannot ...
    (comp.dcom.sys.cisco)
  • Re: [SLE] SUSE 9.0 - Only root can mount USB memory sticks?
    ... What actual commands are you using? ... > stick as a normal user. ... after logging out as root then logging in as ...
    (SuSE)
  • Re: root shell auditing
    ... This way all root commands would either be logged or you'd be alerted to someone intentionally circumventing the logging by getting a full root shell. ... Even if you log everything which the user types and review those logs ...
    (Focus-Linux)