From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephen Samuel Subject: Re: Logging root activity with syslog-ng Date: Mon, 02 Jan 2006 11:53:02 -0800 Message-ID: <43B9849E.2010501@bcgreen.com> References: <17337.23856.173842.802757@cerise.gclements.plus.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <17337.23856.173842.802757@cerise.gclements.plus.com> Sender: linux-admin-owner@vger.kernel.org List-Id: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Glynn Clements Cc: Casper Helenius , linux-admin@vger.kernel.org you might have some luck using the bsd accounting system (man acct for a start on the process). this logs each command run along with the CPU time used. Although it doesn't log command paramaters, you might be able to hack it to do so. -- if so, then please pass on the patches (probably to the linux-kernel group). You might also be able to use the selinux logging capabilities to achieve what you want. Once Selinux is enabled, you should be able to use it to prevent disabling of logging. Glynn Clements wrote: >Casper Helenius wrote: > > > >>I need to log every root activity on my Gentoo server, running syslog-ng. >> >>I need to log logins (and, if possible, logouts) both by root or by >>users SUDO'ing. I need to log which commands are executed as well as >>their parameters. >> >> > >The only way to achieve the last part is to log the raw connection >with e.g. ttysnoop. Even then, there are way to get around it (e.g. >upload a program and run that; unless you log all of the ways a >program can be uploaded, you won't know what they're actually >running). > >Process accounting (CONFIG_BSD_PROCESS_ACCT) will log which programs >are run, but not their arguments or inputs. > >Finally, anyone with unrestricted root privilege can disable or >otherwise interfere with logging. And if you're keeping the log files >locally (rather than using a separate logging server or a printer), >they can edit them. > > >