From: Stephen Samuel <samuel@bcgreen.com>
To: Glynn Clements <glynn@gclements.plus.com>
Cc: Casper Helenius <casper.helenius@dk.tntfreight.com>,
linux-admin@vger.kernel.org
Subject: Re: Logging root activity with syslog-ng
Date: Mon, 02 Jan 2006 11:53:02 -0800 [thread overview]
Message-ID: <43B9849E.2010501@bcgreen.com> (raw)
In-Reply-To: <17337.23856.173842.802757@cerise.gclements.plus.com>
you might have some luck using the bsd accounting system
(man acct for a start on the process). this logs each command
run along with the CPU time used.
Although it doesn't log command paramaters, you might be able to
hack it to do so. -- if so, then please pass on the patches (probably
to the linux-kernel group).
You might also be able to use the selinux logging capabilities to
achieve what you want. Once Selinux is enabled, you should be
able to use it to prevent disabling of logging.
Glynn Clements wrote:
>Casper Helenius wrote:
>
>
>
>>I need to log every root activity on my Gentoo server, running syslog-ng.
>>
>>I need to log logins (and, if possible, logouts) both by root or by
>>users SUDO'ing. I need to log which commands are executed as well as
>>their parameters.
>>
>>
>
>The only way to achieve the last part is to log the raw connection
>with e.g. ttysnoop. Even then, there are way to get around it (e.g.
>upload a program and run that; unless you log all of the ways a
>program can be uploaded, you won't know what they're actually
>running).
>
>Process accounting (CONFIG_BSD_PROCESS_ACCT) will log which programs
>are run, but not their arguments or inputs.
>
>Finally, anyone with unrestricted root privilege can disable or
>otherwise interfere with logging. And if you're keeping the log files
>locally (rather than using a separate logging server or a printer),
>they can edit them.
>
>
>
prev parent reply other threads:[~2006-01-02 19:53 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-02 12:36 Logging root activity with syslog-ng Casper Helenius
2006-01-02 17:04 ` Glynn Clements
2006-01-02 19:53 ` Stephen Samuel [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43B9849E.2010501@bcgreen.com \
--to=samuel@bcgreen.com \
--cc=casper.helenius@dk.tntfreight.com \
--cc=glynn@gclements.plus.com \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).