Re: command logging - Steve Grubb

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Frank Kruchio <fkruchio@nz1.ibm.com>
Subject: Re: command logging
Date: Tue, 8 Nov 2011 15:59:17 -0500	[thread overview]
Message-ID: <201111081559.18187.sgrubb@redhat.com> (raw)
In-Reply-To: <OF9A679B1A.ED051FCD-ONCC257942.0070F681-CC257942.00718E45@nz1.ibm.com>

On Tuesday, November 08, 2011 03:40:14 PM Frank Kruchio wrote:
> We are running RHEL5 x86_64 and RHEL4 (32 and 64 bit) servers mostly at
> work and management like to trac every single command a user types.
> So far we used rootsh but once a user types
> 
> sudo rootsh
> sudo su - oracle
> 
> the oracle user commands are not logged any more.
> 
> Is there a way to trac/record a user to see what was typed using the audit
> subsystem ?

On RHEL5, probably after 5.4 or 5.5 and upstream kernels after 2.6.24 or 25, you can 
use pam_tty_audit. There is a man page that explains how to set it up and its pretty 
obvious what it does. You need to use the ausearch program to see what's in the events 
or the aureport --tty report. RHEL4 has no such facility.

> We are considering the idea now to
> 
> > /etc/securetty
> 
> to lock root logins out
> 
> The goal is to not have any shared IDs at all and all users should be
> identified on what they did on the servers if necessary.

For the audit system to work correctly, you should not allow root logins. The auid 
field in the events will track who did anything.

-Steve

next prev parent reply	other threads:[~2011-11-08 20:59 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-11-08 20:40 command logging Frank Kruchio
2011-11-08 20:59 ` Steve Grubb [this message]
     [not found]   ` <OFA15CC340.C126AE80-ONCC257942.0073F9E8-CC257942.007440EF@nz1.ibm.com>
2011-11-08 21:31     ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201111081559.18187.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=fkruchio@nz1.ibm.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox