* command logging
@ 2011-11-08 20:40 Frank Kruchio
2011-11-08 20:59 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Frank Kruchio @ 2011-11-08 20:40 UTC (permalink / raw)
To: Linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 564 bytes --]
We are running RHEL5 x86_64 and RHEL4 (32 and 64 bit) servers mostly at
work and management like to trac every single command a user types.
So far we used rootsh but once a user types
sudo rootsh
sudo su - oracle
the oracle user commands are not logged any more.
Is there a way to trac/record a user to see what was typed using the audit
subsystem ?
We are considering the idea now to
> /etc/securetty
to lock root logins out
The goal is to not have any shared IDs at all and all users should be
identified on what they did on the servers if necessary.
[-- Attachment #1.2: Type: text/html, Size: 1008 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: command logging
2011-11-08 20:40 command logging Frank Kruchio
@ 2011-11-08 20:59 ` Steve Grubb
[not found] ` <OFA15CC340.C126AE80-ONCC257942.0073F9E8-CC257942.007440EF@nz1.ibm.com>
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2011-11-08 20:59 UTC (permalink / raw)
To: linux-audit; +Cc: Frank Kruchio
On Tuesday, November 08, 2011 03:40:14 PM Frank Kruchio wrote:
> We are running RHEL5 x86_64 and RHEL4 (32 and 64 bit) servers mostly at
> work and management like to trac every single command a user types.
> So far we used rootsh but once a user types
>
> sudo rootsh
> sudo su - oracle
>
> the oracle user commands are not logged any more.
>
> Is there a way to trac/record a user to see what was typed using the audit
> subsystem ?
On RHEL5, probably after 5.4 or 5.5 and upstream kernels after 2.6.24 or 25, you can
use pam_tty_audit. There is a man page that explains how to set it up and its pretty
obvious what it does. You need to use the ausearch program to see what's in the events
or the aureport --tty report. RHEL4 has no such facility.
> We are considering the idea now to
>
> > /etc/securetty
>
> to lock root logins out
>
> The goal is to not have any shared IDs at all and all users should be
> identified on what they did on the servers if necessary.
For the audit system to work correctly, you should not allow root logins. The auid
field in the events will track who did anything.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: command logging
[not found] ` <OFA15CC340.C126AE80-ONCC257942.0073F9E8-CC257942.007440EF@nz1.ibm.com>
@ 2011-11-08 21:31 ` Steve Grubb
0 siblings, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2011-11-08 21:31 UTC (permalink / raw)
To: Frank Kruchio; +Cc: linux-audit
On Tuesday, November 08, 2011 04:09:42 PM Frank Kruchio wrote:
> Thanks Steve !
>
> These are RHEL5 U7 however what happens if they ssh in, pam_tty_audit wont
> work I think.
> Since console login is disabled we are not thinking of using pam_tty_audit
> or can you use it for ssh logins as well ?
Should work fine there.
> if not, what are the options to trac users who share user ids ?
Users can share UIDs, but just not login as that UID. They have to login with their
own unique uid and then change to the shared account. Of course a cron job won't track
the auid, though. But you can disable cron for the shared account.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-11-08 21:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-08 20:40 command logging Frank Kruchio
2011-11-08 20:59 ` Steve Grubb
[not found] ` <OFA15CC340.C126AE80-ONCC257942.0073F9E8-CC257942.007440EF@nz1.ibm.com>
2011-11-08 21:31 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox