Re: root shell auditing



Philip Turner wrote:
On 31 Jul 2008 at 10:24, Hari Sekhon wrote:
Diego Lacerda wrote:
Hi, Mars,

I think that you could use Linux Process Accounting to audit
everything that you need in a shell environment.
I've tried this, it lacks some detail if I remember correctly it doesn't log params as it was designed for process accounting, not security auditing, which could mean missing a lot as sometimes it's the parameters that make all the difference between a normal and a dangerous action.


I'll just play play devil's advocate for a moment here, and suggest that as you log more and more detail you increase the risk that you'll include sensitive information that shouldn't be revealed to whoever reviews the security logs. Eventually you've just replaced the need to trust the admins with the need to trust the security reviewers.

(I'm not saying you've reached this point yet, just that it's something to think about each time you up the level of detail.)
Anyone would think I'm an evil security guy or something... ;-)

Seriously though, you're making an assumption that it's just admins. Developers use the command line too and often aren't anywhere near as smart or industry educated as they think they are which is why sometimes it's very handy if you can check on what they've done.

A good example was a guy we had who was supposed to be a very good developer but got a command wrong and stopped a website from working. I had his command in the logs and proved it was his fault. So much for being so smart.. you'd think someone who was so good would know how to use a simple command and not append "." and ".." as args which went outside the directory he intended to. If you make a mistake once, ok it's a typo, but he did the same thing the next day too so I had to tell him to be more careful, which I could since I had proof it was his fault (I had his cwd as well in this case to match against the relatives . and ..).

Moral of the story: logging and auditing are very important and make me feel much better.

-h

--
Hari Sekhon



Relevant Pages

  • Re: root shell auditing
    ... reviews the security logs. ... Developers use the command line too and often aren't anywhere near as ... had his command in the logs and proved it was his fault. ...
    (Focus-Linux)
  • [kde] Re: plasma-desktop (KDE factory) acting up?
    ... Then I configured sudo to allow my ... While it's for security reasons I limit it, ... command I allow the user to sudo run as root, ... Actually, it seems to work very well for me, as it obeys my configuring it ...
    (KDE)
  • Re: The Coming Greater Depression
    ... and how big a business IT security ... example a linux user group mailing list to find out what is going on... ... sure, and please believe me, the command line is the most powerful ... some extent, but only at the price of a) far less power, and b) far ...
    (rec.martial-arts)
  • [SECURITY] telnet client
    ... For general information regarding FreeBSD Security Advisories, ... The telnetcommand is a TELNET protocol client, ... fixed-sized buffer. ... src/UPDATING ...
    (comp.unix.bsd.freebsd.misc)
  • [security bulletin] SSRT4794 rev.0 HPStorageWorks Command View XP access restriction bypass
    ... The information in this Security bulletin should be acted upon ... A potential security vulnerability has been identified in Command ... StorageWorks Disk Array XP128, Surestore Disk Array XP256, ...
    (Bugtraq)