Logging root activity with syslog-ng

Logging root activity with syslog-ng

[Casper Helenius]

Hi group,

I need to log every root activity on my Gentoo server, running syslog-ng.

I need to log logins (and, if possible, logouts) both by root or by 
users SUDO'ing. I need to log which commands are executed as well as 
their parameters.

Is this at all possible with syslog-ng? And if so, what exactly do I 
need to setup in syslog-ng.conf?

Best regards,

Casper Helenius,
Denmark

Re: Logging root activity with syslog-ng

[Glynn Clements]

Casper Helenius wrote:

> I need to log every root activity on my Gentoo server, running syslog-ng.
> 
> I need to log logins (and, if possible, logouts) both by root or by 
> users SUDO'ing. I need to log which commands are executed as well as 
> their parameters.

The only way to achieve the last part is to log the raw connection
with e.g. ttysnoop. Even then, there are way to get around it (e.g. 
upload a program and run that; unless you log all of the ways a
program can be uploaded, you won't know what they're actually
running).

Process accounting (CONFIG_BSD_PROCESS_ACCT) will log which programs
are run, but not their arguments or inputs.

Finally, anyone with unrestricted root privilege can disable or
otherwise interfere with logging. And if you're keeping the log files
locally (rather than using a separate logging server or a printer),
they can edit them.

-- 
Glynn Clements <glynn@gclements.plus.com>

Re: Logging root activity with syslog-ng

[Stephen Samuel]

you might have some luck using the bsd accounting system
(man acct for a start on the process). this logs each command
run along with the CPU time used.

Although it doesn't log command paramaters,  you might be able to
hack it to do so. -- if so, then please pass on the patches (probably
to the linux-kernel group).

You might also be able to use the selinux logging capabilities to
achieve what you want.  Once Selinux is enabled, you should be
able to use it to prevent disabling of logging.

Glynn Clements wrote:

>Casper Helenius wrote:
>
>  
>
>>I need to log every root activity on my Gentoo server, running syslog-ng.
>>
>>I need to log logins (and, if possible, logouts) both by root or by 
>>users SUDO'ing. I need to log which commands are executed as well as 
>>their parameters.
>>    
>>
>
>The only way to achieve the last part is to log the raw connection
>with e.g. ttysnoop. Even then, there are way to get around it (e.g. 
>upload a program and run that; unless you log all of the ways a
>program can be uploaded, you won't know what they're actually
>running).
>
>Process accounting (CONFIG_BSD_PROCESS_ACCT) will log which programs
>are run, but not their arguments or inputs.
>
>Finally, anyone with unrestricted root privilege can disable or
>otherwise interfere with logging. And if you're keeping the log files
>locally (rather than using a separate logging server or a printer),
>they can edit them.
>
>  
>