How to log all commands?

From: Nekromancer (foo_at_bar.org)
Date: 05/30/05

  • Next message: Nekromancer: "Re: How to log all commands?" 
    Date: 30 May 2005 11:03:22 GMT

    Hi all,

    I tried googling this one, and found software for Novell and a program
    called IOC for UNIX, but no 100% appropriate solution for Linux. I'll
    continue my search, but in the mean time I want to ask here.

    How can I log all commands (including parameters) typed at any of the
    virtual terminals in a Linux server? The log must include time/date/user
    as well.
    I know that someone will say "use a keylogger", but my intention is just
    to keep an audit trail of commands executed by users and root, not to
    capture the login password or anything like that. I need to be able to
    demonstrate:

    a) if there's a problem due to the execution of something that shouldn't
    have been done, that the user/date/time of that has been recorded (and
    apply corrective measures)

    b) if someone claims that some problem was due to the execution of a
    program that shouldn't have taken place, but it's a false claim, then I
    can demonstrate that's false using the audit trail

    Typical example: someone portscans a remote box using nmap (there're
    reasons why nmap must be in the box), and this portscan was not
    authorized. Then I've to raise an issue, and the user will be informed of
    the "mistake" (you guess the rest if the issue happens again).

    Opposite example: someone claims problems due to "hacking activity" from
    this box, but the audit trail shows that this is not the case, I can show
    it to the people who raised the false claim.

    I *KNOW* that just having the audit trail is not enough, it can be
    tampered in a non-hardened box. The idea is to have LIDS or similar,
    restrict heavily what every user can do (including root), and log to a
    secure remote server.

    Any suggestions?

    TIA.

    Mike

  • Next message: Nekromancer: "Re: How to log all commands?"