FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Linux

 
 
LinkBack Thread Tools
 
Old 09-22-2010, 03:10 PM
 
Default Command logging after 'su'

Hi,

we have user 'u1' which can do 'su - root'.
Is it possible to log all commands run by this user:
- during id=u1
- after su to 'root' ?

Regards
P.





























------------------------------------------------------
Tanie mieszkania lub pokoje do wynajÄ?cia dla studentĂłw!
http://linkint.pl/f27f9

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-22-2010, 03:40 PM
"Marti, Robert"
 
Default Command logging after 'su'

pam can be configured to log every key a user presses via the audit daemon. This, however, is useless unless you ship logging off the box.

Sent from my iPhone

On Sep 22, 2010, at 10:36 AM, "przemolicc@poczta.fm" <przemolicc@poczta.fm> wrote:

> Hi,
>
> we have user 'u1' which can do 'su - root'.
> Is it possible to log all commands run by this user:
> - during id=u1
> - after su to 'root' ?
>
> Regards
> P.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------
> Tanie mieszkania lub pokoje do wynajęcia dla studentów!
> http://linkint.pl/f27f9
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-22-2010, 03:55 PM
"Elliott, Andrew"
 
Default Command logging after 'su'

...Should be in the .history (bash) file, no?

You should try to get them to use 'sudo'. That will capture all the commands in the users' .bash_history rather than root's...

-----Original Message-----
From: redhat-list-bounces@redhat.com [mailto:redhat-list-bounces@redhat.com] On Behalf Of Marti, Robert
Sent: Wednesday, September 22, 2010 11:41 AM
To: przemolicc@poczta.fm; General Red HatLinuxdiscussion list
Subject: Re: Command logging after 'su'

pam can be configured to log every key a user presses via the audit daemon. This, however, is useless unless you ship logging off the box.

Sent from my iPhone

On Sep 22, 2010, at 10:36 AM, "przemolicc@poczta.fm" <przemolicc@poczta.fm> wrote:

> Hi,
>
> we have user 'u1' which can do 'su - root'.
> Is it possible to log all commands run by this user:
> - during id=u1
> - after su to 'root' ?
>
> Regards
> P.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------
> Tanie mieszkania lub pokoje do wynajÄ?cia dla studentĂłw!
> http://linkint.pl/f27f9
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-22-2010, 04:27 PM
"Marti, Robert"
 
Default Command logging after 'su'

Bash history is editable so effectively useless for auditing. On top of that, by default, even if they don't unset the histfile or use one of the many other ways to clear the entries, only the last exited session actually writes to the histfile. It also doesn't catch what happens if a user opens a shell through another method (ie sudo vim then open a shell).

pam auditing will catch all of that as long as audit.log is being shipped off the server.

Sent from my iPhone

On Sep 22, 2010, at 11:00 AM, "Elliott, Andrew" <Andrew.Elliott@istat.ca> wrote:

> ...Should be in the .history (bash) file, no?
>
> You should try to get them to use 'sudo'. That will capture all the commands in the users' .bash_history rather than root's...
>
> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-bounces@redhat.com] On Behalf Of Marti, Robert
> Sent: Wednesday, September 22, 2010 11:41 AM
> To: przemolicc@poczta.fm; General Red HatLinuxdiscussion list
> Subject: Re: Command logging after 'su'
>
> pam can be configured to log every key a user presses via the audit daemon. This, however, is useless unless you ship logging off the box.
>
> Sent from my iPhone
>
> On Sep 22, 2010, at 10:36 AM, "przemolicc@poczta.fm" <przemolicc@poczta.fm> wrote:
>
>> Hi,
>>
>> we have user 'u1' which can do 'su - root'.
>> Is it possible to log all commands run by this user:
>> - during id=u1
>> - after su to 'root' ?
>>
>> Regards
>> P.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------
>> Tanie mieszkania lub pokoje do wynajęcia dla studentów!
>> http://linkint.pl/f27f9
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-23-2010, 02:49 PM
 
Default Command logging after 'su'

key logging is good, but you could also use something like sudosh to record
command and output. and have it shipped to a central server.

Scott Rineer
Network Server Specialist (Linux)
American Water ITS
800 West Hershey Park Drive
Hershey, PA 17033
Office (717) 520-4578
Cell: (717)-862-8610



From: "Marti, Robert" <RJM002@shsu.edu>

To: "przemolicc@poczta.fm" <przemolicc@poczta.fm>, General Red Hat Linuxdiscussion list <redhat-list@redhat.com>

Date: 09/22/2010 11:46 AM

Subject: Re: Command logging after 'su'

Sent by: redhat-list-bounces@redhat.com






pam can be configured to log every key a user presses via the audit daemon.
This, however, is useless unless you ship logging off the box.

Sent from my iPhone

On Sep 22, 2010, at 10:36 AM, "przemolicc@poczta.fm" <przemolicc@poczta.fm>
wrote:

> Hi,
>
> we have user 'u1' which can do 'su - root'.
> Is it possible to log all commands run by this user:
> - during id=u1
> - after su to 'root' ?
>
> Regards
> P.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------
> Tanie mieszkania lub pokoje do wynajęcia dla studentów!
> http://linkint.pl/f27f9
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-23-2010, 02:58 PM
"Marti, Robert"
 
Default Command logging after 'su'

sudosh is essentially keylogging at a different level, and not a RHEL supported package. Just pointing that out.

Rob Marti

> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Scott.Rineer@amwater.com
> Sent: Thursday, September 23, 2010 9:49 AM
> To: General Red Hat Linux discussion list
> Subject: Re: Command logging after 'su'
>
> key logging is good, but you could also use something like sudosh to record
> command and output. and have it shipped to a central server.
>
> Scott Rineer
> Network Server Specialist (Linux)
> American Water ITS
> 800 West Hershey Park Drive
> Hershey, PA 17033
> Office (717) 520-4578
> Cell: (717)-862-8610
>
>
>
> From: "Marti, Robert" <RJM002@shsu.edu>
>
> To: "przemolicc@poczta.fm" <przemolicc@poczta.fm>, General Red Hat
> Linuxdiscussion list <redhat-list@redhat.com>
>
> Date: 09/22/2010 11:46 AM
>
> Subject: Re: Command logging after 'su'
>
> Sent by: redhat-list-bounces@redhat.com
>
>
>
>
>
>
> pam can be configured to log every key a user presses via the audit daemon.
> This, however, is useless unless you ship logging off the box.
>
> Sent from my iPhone
>
> On Sep 22, 2010, at 10:36 AM, "przemolicc@poczta.fm"
> <przemolicc@poczta.fm>
> wrote:
>
> > Hi,
> >
> > we have user 'u1' which can do 'su - root'.
> > Is it possible to log all commands run by this user:
> > - during id=u1
> > - after su to 'root' ?
> >
> > Regards
> > P.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------
> > Tanie mieszkania lub pokoje do wynajęcia dla studentów!
> > http://linkint.pl/f27f9
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 

Thread Tools




All times are GMT. The time now is 06:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org