FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Linux

 
 
LinkBack Thread Tools
 
Old 09-23-2010, 02:19 PM
Zbynek Vymazal
 
Default User Auditing

Hi Rob,

I'm logging command history of every user to remote syslog server. It requires two steps on client side:

1) Add following function to /etc/profile:

function history_to_syslog
{
declare command
command=$(fc -ln -0)
logger -p local7.notice -t bash -i -- $USER : $command
}
trap history_to_syslog DEBUG

2) Configure local syslog to resend logs to remote syslog (/etc/syslog-ng/syslog-ng.conf):

# Send local messages to central syslog server

filter f_filter7 { facility(local7); };
destination d_syslog_server { udp(xxx.xxx.xxx.xxx); };
log { source(s_sys); filter(f_filter7); destination(d_syslog_server); };

Best regards,

Zbynek Vymazal

-----Original Message-----
From: redhat-list-bounces@redhat.com [mailto:redhat-list-bounces@redhat.com] On Behalf Of Rob DeSanno
Sent: Thursday, September 23, 2010 15:40
To: General Red Hat Linux discussion list
Subject: User Auditing

This should be an easy question.

I use Logwatch on all of my RHEL servers and would like for it to also
report on all commands that any user had typed when logged in as well.
Something along the lines of UID: Command to give me an idea of who was
doing what at any given period of time.

I tried using snoopy but that gave me much more than I was looking for. I'm
now playing around with psacct and logger but was curious to know what
everyone else out there uses to monitor user activity besides looking into
everyone history file.

Thanks in advance!
~Rob
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-23-2010, 02:29 PM
"Marti, Robert"
 
Default User Auditing

I haven't tried them, but do these track executing shell commands from inside vim or other editors? Or other ways of running commands? (write a script, run it, delete the script)

Rob Marti

> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Zbynek Vymazal
> Sent: Thursday, September 23, 2010 9:20 AM
> To: General Red Hat Linux discussion list
> Subject: RE: User Auditing
>
> Hi Rob,
>
> I'm logging command history of every user to remote syslog server. It
> requires two steps on client side:
>
> 1) Add following function to /etc/profile:
>
> function history_to_syslog
> {
> declare command
> command=$(fc -ln -0)
> logger -p local7.notice -t bash -i -- $USER : $command } trap
> history_to_syslog DEBUG
>
> 2) Configure local syslog to resend logs to remote syslog (/etc/syslog-
> ng/syslog-ng.conf):
>
> # Send local messages to central syslog server
>
> filter f_filter7 { facility(local7); };
> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log { source(s_sys);
> filter(f_filter7); destination(d_syslog_server); };
>
> Best regards,
>
> Zbynek Vymazal
>
> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Rob DeSanno
> Sent: Thursday, September 23, 2010 15:40
> To: General Red Hat Linux discussion list
> Subject: User Auditing
>
> This should be an easy question.
>
> I use Logwatch on all of my RHEL servers and would like for it to also report
> on all commands that any user had typed when logged in as well.
> Something along the lines of UID: Command to give me an idea of who was
> doing what at any given period of time.
>
> I tried using snoopy but that gave me much more than I was looking for. I'm
> now playing around with psacct and logger but was curious to know what
> everyone else out there uses to monitor user activity besides looking into
> everyone history file.
>
> Thanks in advance!
> ~Rob
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-23-2010, 02:41 PM
Georgios Magklaras
 
Default User Auditing

Not only that, but you could also obfuscate the script. One user I
dealt with that attempted to evade detection perlcc-ed system call
wrapped commands into a binary file. Relying on the shell functionality
for these kinds of things is not wise (IMHO) to get reliable data about
who is doing what. Zbynek's recipe is great, simple, but it will not
really catch easily folks that know how to cover their tracks.


GM

On 09/23/2010 04:29 PM, Marti, Robert wrote:

I haven't tried them, but do these track executing shell commands from inside vim or other editors? Or other ways of running commands? (write a script, run it, delete the script)

Rob Marti


-----Original Message-----
From: redhat-list-bounces@redhat.com [mailto:redhat-list-
bounces@redhat.com] On Behalf Of Zbynek Vymazal
Sent: Thursday, September 23, 2010 9:20 AM
To: General Red Hat Linux discussion list
Subject: RE: User Auditing

Hi Rob,

I'm logging command history of every user to remote syslog server. It
requires two steps on client side:

1) Add following function to /etc/profile:

function history_to_syslog
{
declare command
command=$(fc -ln -0)
logger -p local7.notice -t bash -i -- $USER : $command } trap
history_to_syslog DEBUG

2) Configure local syslog to resend logs to remote syslog (/etc/syslog-
ng/syslog-ng.conf):

# Send local messages to central syslog server

filter f_filter7 { facility(local7); };
destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log { source(s_sys);
filter(f_filter7); destination(d_syslog_server); };

Best regards,

Zbynek Vymazal

-----Original Message-----
From: redhat-list-bounces@redhat.com [mailto:redhat-list-
bounces@redhat.com] On Behalf Of Rob DeSanno
Sent: Thursday, September 23, 2010 15:40
To: General Red Hat Linux discussion list
Subject: User Auditing

This should be an easy question.

I use Logwatch on all of my RHEL servers and would like for it to also report
on all commands that any user had typed when logged in as well.
Something along the lines of UID: Command to give me an idea of who was
doing what at any given period of time.

I tried using snoopy but that gave me much more than I was looking for. I'm
now playing around with psacct and logger but was curious to know what
everyone else out there uses to monitor user activity besides looking into
everyone history file.

Thanks in advance!
~Rob
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list



--
--
George Magklaras
Senior Systems Engineer/IT Manager
Biotek Center, University of Oslo
EMBnet TMPC Chair

http://folk.uio.no/georgios

Tel: +47 22840535



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-23-2010, 03:28 PM
Rob DeSanno
 
Default User Auditing

Thanks all for the good suggestions. I'm giving Zbynek's solution a try
right now and understand the limitations but it's better than what I have
at the moment.

On Thu, Sep 23, 2010 at 10:41 AM, Georgios Magklaras <georgios@biotek.uio.no
> wrote:

> Not only that, but you could also obfuscate the script. One user I dealt
> with that attempted to evade detection perlcc-ed system call wrapped
> commands into a binary file. Relying on the shell functionality for these
> kinds of things is not wise (IMHO) to get reliable data about who is doing
> what. Zbynek's recipe is great, simple, but it will not really catch easily
> folks that know how to cover their tracks.
>
> GM
>
>
> On 09/23/2010 04:29 PM, Marti, Robert wrote:
>
>> I haven't tried them, but do these track executing shell commands from
>> inside vim or other editors? Or other ways of running commands? (write a
>> script, run it, delete the script)
>>
>> Rob Marti
>>
>> -----Original Message-----
>>> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
>>> bounces@redhat.com] On Behalf Of Zbynek Vymazal
>>> Sent: Thursday, September 23, 2010 9:20 AM
>>> To: General Red Hat Linux discussion list
>>> Subject: RE: User Auditing
>>>
>>> Hi Rob,
>>>
>>> I'm logging command history of every user to remote syslog server. It
>>> requires two steps on client side:
>>>
>>> 1) Add following function to /etc/profile:
>>>
>>> function history_to_syslog
>>> {
>>> declare command
>>> command=$(fc -ln -0)
>>> logger -p local7.notice -t bash -i -- $USER : $command } trap
>>> history_to_syslog DEBUG
>>>
>>> 2) Configure local syslog to resend logs to remote syslog (/etc/syslog-
>>> ng/syslog-ng.conf):
>>>
>>> # Send local messages to central syslog server
>>>
>>> filter f_filter7 { facility(local7); };
>>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
>>> source(s_sys);
>>> filter(f_filter7); destination(d_syslog_server); };
>>>
>>> Best regards,
>>>
>>> Zbynek Vymazal
>>>
>>> -----Original Message-----
>>> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
>>> bounces@redhat.com] On Behalf Of Rob DeSanno
>>> Sent: Thursday, September 23, 2010 15:40
>>> To: General Red Hat Linux discussion list
>>> Subject: User Auditing
>>>
>>> This should be an easy question.
>>>
>>> I use Logwatch on all of my RHEL servers and would like for it to also
>>> report
>>> on all commands that any user had typed when logged in as well.
>>> Something along the lines of UID: Command to give me an idea of who was
>>> doing what at any given period of time.
>>>
>>> I tried using snoopy but that gave me much more than I was looking for.
>>> I'm
>>> now playing around with psacct and logger but was curious to know what
>>> everyone else out there uses to monitor user activity besides looking
>>> into
>>> everyone history file.
>>>
>>> Thanks in advance!
>>> ~Rob
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>
>
> --
> --
> George Magklaras
> Senior Systems Engineer/IT Manager
> Biotek Center, University of Oslo
> EMBnet TMPC Chair
>
> http://folk.uio.no/georgios
>
> Tel: +47 22840535
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-23-2010, 03:28 PM
 
Default User Auditing

Marti, Robert wrote:
> I haven't tried them, but do these track executing shell commands from
> inside vim or other editors? Or other ways of running commands? (write a
> script, run it, delete the script)
>
It also strikes me as a) a great way to create an overwhelming amount of
data; b) useless - consider the user edits a script, suspends the editing
session, runs the script, forgrounds the editing session, and undoes
whatever code they put in. Oh, and c) over-the-top Big Brother; I mean,
there's oversight, and there's this: if there's this mistrust of the
employees, then perhaps management should either hire trustworthy
employees, or only allow trusted employees to work on the systems.

mark, *not* a fan of the idea.
>
>> -----Original Message-----
>> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
>> bounces@redhat.com] On Behalf Of Zbynek Vymazal
>> Sent: Thursday, September 23, 2010 9:20 AM
>> To: General Red Hat Linux discussion list
>> Subject: RE: User Auditing
>>
>> Hi Rob,
>>
>> I'm logging command history of every user to remote syslog server. It
>> requires two steps on client side:
>>
>> 1) Add following function to /etc/profile:
>>
>> function history_to_syslog
>> {
>> declare command
>> command=$(fc -ln -0)
>> logger -p local7.notice -t bash -i -- $USER : $command } trap
>> history_to_syslog DEBUG
>>
>> 2) Configure local syslog to resend logs to remote syslog (/etc/syslog-
>> ng/syslog-ng.conf):
>>
>> # Send local messages to central syslog server
>>
>> filter f_filter7 { facility(local7); };
>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
>> source(s_sys);
>> filter(f_filter7); destination(d_syslog_server); };
>>
>> Best regards,
>>
>> Zbynek Vymazal
>>
>> -----Original Message-----
>> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
>> bounces@redhat.com] On Behalf Of Rob DeSanno
>> Sent: Thursday, September 23, 2010 15:40
>> To: General Red Hat Linux discussion list
>> Subject: User Auditing
>>
>> This should be an easy question.
>>
>> I use Logwatch on all of my RHEL servers and would like for it to also
>> report
>> on all commands that any user had typed when logged in as well.
>> Something along the lines of UID: Command to give me an idea of who was
>> doing what at any given period of time.
>>
>> I tried using snoopy but that gave me much more than I was looking for.
>> I'm
>> now playing around with psacct and logger but was curious to know what
>> everyone else out there uses to monitor user activity besides looking
>> into
>> everyone history file.
>>
>> Thanks in advance!
>> ~Rob
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-23-2010, 03:41 PM
"Marti, Robert"
 
Default User Auditing

I'm a fan of auditing root keystrokes and shipping them off the box - you can see what happens if your server gets compromised or if you have a disgruntled employee by setting up alerts on the log correlation box. Plus it allows a historical view of an event that bash_history doesn't always - especially if the admin doesn't use a shell that has a history. Auditing normal users, however, typically isn't worth it.

Rob Marti
Systems Administrator
Sam Houston State University
936-294-3804 // rob@shsu.edu


> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of m.roth@5-cent.us
> Sent: Thursday, September 23, 2010 10:29 AM
> To: General Red Hat Linux discussion list
> Subject: RE: User Auditing
>
> Marti, Robert wrote:
> > I haven't tried them, but do these track executing shell commands from
> > inside vim or other editors? Or other ways of running commands?
> > (write a script, run it, delete the script)
> >
> It also strikes me as a) a great way to create an overwhelming amount of
> data; b) useless - consider the user edits a script, suspends the editing
> session, runs the script, forgrounds the editing session, and undoes
> whatever code they put in. Oh, and c) over-the-top Big Brother; I mean,
> there's oversight, and there's this: if there's this mistrust of the employees,
> then perhaps management should either hire trustworthy employees, or
> only allow trusted employees to work on the systems.
>
> mark, *not* a fan of the idea.
> >
> >> -----Original Message-----
> >> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> >> bounces@redhat.com] On Behalf Of Zbynek Vymazal
> >> Sent: Thursday, September 23, 2010 9:20 AM
> >> To: General Red Hat Linux discussion list
> >> Subject: RE: User Auditing
> >>
> >> Hi Rob,
> >>
> >> I'm logging command history of every user to remote syslog server. It
> >> requires two steps on client side:
> >>
> >> 1) Add following function to /etc/profile:
> >>
> >> function history_to_syslog
> >> {
> >> declare command
> >> command=$(fc -ln -0)
> >> logger -p local7.notice -t bash -i -- $USER : $command } trap
> >> history_to_syslog DEBUG
> >>
> >> 2) Configure local syslog to resend logs to remote syslog
> >> (/etc/syslog-
> >> ng/syslog-ng.conf):
> >>
> >> # Send local messages to central syslog server
> >>
> >> filter f_filter7 { facility(local7); };
> >> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
> >> source(s_sys); filter(f_filter7); destination(d_syslog_server); };
> >>
> >> Best regards,
> >>
> >> Zbynek Vymazal
> >>
> >> -----Original Message-----
> >> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> >> bounces@redhat.com] On Behalf Of Rob DeSanno
> >> Sent: Thursday, September 23, 2010 15:40
> >> To: General Red Hat Linux discussion list
> >> Subject: User Auditing
> >>
> >> This should be an easy question.
> >>
> >> I use Logwatch on all of my RHEL servers and would like for it to
> >> also report on all commands that any user had typed when logged in as
> >> well.
> >> Something along the lines of UID: Command to give me an idea of who
> >> was doing what at any given period of time.
> >>
> >> I tried using snoopy but that gave me much more than I was looking for.
> >> I'm
> >> now playing around with psacct and logger but was curious to know
> >> what everyone else out there uses to monitor user activity besides
> >> looking into everyone history file.
> >>
> >> Thanks in advance!
> >> ~Rob
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-
> request@redhat.com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >>
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-
> request@redhat.com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-23-2010, 03:52 PM
 
Default User Auditing

Marti, Robert wrote:
> I'm a fan of auditing root keystrokes and shipping them off the box - you
> can see what happens if your server gets compromised or if you have a
> disgruntled employee by setting up alerts on the log correlation box.
> Plus it allows a historical view of an event that bash_history doesn't
> always - especially if the admin doesn't use a shell that has a history.
> Auditing normal users, however, typically isn't worth it.
>
Ok, if you *know* you have a disgruntled employee. However, I worked at a
place about 4 years ago that implemented command logging of *every*
command of *every* user. Slowed the system down, visibly... and IMO,
created a hostile work environment, telling the employees that no,
management *did not* trust them, an attitude guaranteed to turn gruntled
employees into disgruntled ones. <g>

You'll note I don't work there anymore (though that was for more reasons
than just this).
<snip>

mark

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-23-2010, 04:03 PM
"Marti, Robert"
 
Default User Auditing

About the disgruntled employee - not saying to monitor specific people because they might cause a problem, but monitoring root (the user that causes problems) and alerting based on possible problems would indicate a disgruntled employee.

Rob Marti

> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of m.roth@5-cent.us
> Sent: Thursday, September 23, 2010 10:52 AM
> To: General Red Hat Linux discussion list
> Subject: RE: User Auditing
>
> Marti, Robert wrote:
> > I'm a fan of auditing root keystrokes and shipping them off the box -
> > you can see what happens if your server gets compromised or if you
> > have a disgruntled employee by setting up alerts on the log correlation box.
> > Plus it allows a historical view of an event that bash_history doesn't
> > always - especially if the admin doesn't use a shell that has a history.
> > Auditing normal users, however, typically isn't worth it.
> >
> Ok, if you *know* you have a disgruntled employee. However, I worked at a
> place about 4 years ago that implemented command logging of *every*
> command of *every* user. Slowed the system down, visibly... and IMO,
> created a hostile work environment, telling the employees that no,
> management *did not* trust them, an attitude guaranteed to turn gruntled
> employees into disgruntled ones. <g>
>
> You'll note I don't work there anymore (though that was for more reasons
> than just this).
> <snip>
>
> mark
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-23-2010, 04:11 PM
Georgios Magklaras
 
Default User Auditing

Auditing keystrokes will not always reveal the whole picture and is
VERY intrusive for people. How are you going to correlate (and prove)
that when you type something like http://www.abadsite.com , you are
typing it on the descriptor of the web browser and not a text word
processor. Too much noise for the data and too much invasion to privacy,
never saw the point really apart from folk that due keystroke based user
authentication, which is very error prone and it logs only some
keystrokes to work, not everything.


GM

On 09/23/2010 05:41 PM, Marti, Robert wrote:

I'm a fan of auditing root keystrokes and shipping them off the box - you can see what happens if your server gets compromised or if you have a disgruntled employee by setting up alerts on the log correlation box. Plus it allows a historical view of an event that bash_history doesn't always - especially if the admin doesn't use a shell that has a history. Auditing normal users, however, typically isn't worth it.

Rob Marti
Systems Administrator
Sam Houston State University
936-294-3804 // rob@shsu.edu



-----Original Message-----
From: redhat-list-bounces@redhat.com [mailto:redhat-list-
bounces@redhat.com] On Behalf Of m.roth@5-cent.us
Sent: Thursday, September 23, 2010 10:29 AM
To: General Red Hat Linux discussion list
Subject: RE: User Auditing

Marti, Robert wrote:

I haven't tried them, but do these track executing shell commands from
inside vim or other editors? Or other ways of running commands?
(write a script, run it, delete the script)


It also strikes me as a) a great way to create an overwhelming amount of
data; b) useless - consider the user edits a script, suspends the editing
session, runs the script, forgrounds the editing session, and undoes
whatever code they put in. Oh, and c) over-the-top Big Brother; I mean,
there's oversight, and there's this: if there's this mistrust of the employees,
then perhaps management should either hire trustworthy employees, or
only allow trusted employees to work on the systems.

mark, *not* a fan of the idea.

-----Original Message-----
From: redhat-list-bounces@redhat.com [mailto:redhat-list-
bounces@redhat.com] On Behalf Of Zbynek Vymazal
Sent: Thursday, September 23, 2010 9:20 AM
To: General Red Hat Linux discussion list
Subject: RE: User Auditing

Hi Rob,

I'm logging command history of every user to remote syslog server. It
requires two steps on client side:

1) Add following function to /etc/profile:

function history_to_syslog
{
declare command
command=$(fc -ln -0)
logger -p local7.notice -t bash -i -- $USER : $command } trap
history_to_syslog DEBUG

2) Configure local syslog to resend logs to remote syslog
(/etc/syslog-
ng/syslog-ng.conf):

# Send local messages to central syslog server

filter f_filter7 { facility(local7); };
destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
source(s_sys); filter(f_filter7); destination(d_syslog_server); };

Best regards,

Zbynek Vymazal

-----Original Message-----
From: redhat-list-bounces@redhat.com [mailto:redhat-list-
bounces@redhat.com] On Behalf Of Rob DeSanno
Sent: Thursday, September 23, 2010 15:40
To: General Red Hat Linux discussion list
Subject: User Auditing

This should be an easy question.

I use Logwatch on all of my RHEL servers and would like for it to
also report on all commands that any user had typed when logged in as
well.
Something along the lines of UID: Command to give me an idea of who
was doing what at any given period of time.

I tried using snoopy but that gave me much more than I was looking for.
I'm
now playing around with psacct and logger but was curious to know
what everyone else out there uses to monitor user activity besides
looking into everyone history file.

Thanks in advance!
~Rob
--
redhat-list mailing list
unsubscribe mailto:redhat-list-

request@redhat.com?subject=unsubscribe

https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-

request@redhat.com?subject=unsubscribe

https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list



--
--
George Magklaras
Senior Systems Engineer/IT Manager
Biotek Center, University of Oslo
EMBnet TMPC Chair

http://folk.uio.no/georgios

Tel: +47 22840535



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 09-23-2010, 04:43 PM
"Marti, Robert"
 
Default User Auditing

Why is there a browser (text or otherwise) installed on the server?
And the pam bit that logs keystrokes to auditd does log every keypress.
And it logs the program you were typing in.

https://bugzilla.redhat.com/show_bug.cgi?id=483086 is the functionality I'm describing.

Like I said - I only use it to log for root. People should not be considering actions done as root to be private.

Rob Marti

> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Georgios Magklaras
> Sent: Thursday, September 23, 2010 11:12 AM
> To: General Red Hat Linux discussion list
> Subject: Re: User Auditing
>
> Auditing keystrokes will not always reveal the whole picture and is VERY
> intrusive for people. How are you going to correlate (and prove) that when
> you type something like http://www.abadsite.com , you are typing it on the
> descriptor of the web browser and not a text word processor. Too much
> noise for the data and too much invasion to privacy, never saw the point
> really apart from folk that due keystroke based user authentication, which is
> very error prone and it logs only some keystrokes to work, not everything.
>
> GM
>
> On 09/23/2010 05:41 PM, Marti, Robert wrote:
> > I'm a fan of auditing root keystrokes and shipping them off the box - you
> can see what happens if your server gets compromised or if you have a
> disgruntled employee by setting up alerts on the log correlation box. Plus it
> allows a historical view of an event that bash_history doesn't always -
> especially if the admin doesn't use a shell that has a history. Auditing normal
> users, however, typically isn't worth it.
> >
> > Rob Marti
> > Systems Administrator
> > Sam Houston State University
> > 936-294-3804 // rob@shsu.edu
> >
> >
> >> -----Original Message-----
> >> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> >> bounces@redhat.com] On Behalf Of m.roth@5-cent.us
> >> Sent: Thursday, September 23, 2010 10:29 AM
> >> To: General Red Hat Linux discussion list
> >> Subject: RE: User Auditing
> >>
> >> Marti, Robert wrote:
> >>> I haven't tried them, but do these track executing shell commands
> >>> from inside vim or other editors? Or other ways of running commands?
> >>> (write a script, run it, delete the script)
> >>>
> >> It also strikes me as a) a great way to create an overwhelming amount
> >> of data; b) useless - consider the user edits a script, suspends the
> >> editing session, runs the script, forgrounds the editing session, and
> >> undoes whatever code they put in. Oh, and c) over-the-top Big
> >> Brother; I mean, there's oversight, and there's this: if there's this
> >> mistrust of the employees, then perhaps management should either hire
> >> trustworthy employees, or only allow trusted employees to work on the
> systems.
> >>
> >> mark, *not* a fan of the idea.
> >>>> -----Original Message-----
> >>>> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> >>>> bounces@redhat.com] On Behalf Of Zbynek Vymazal
> >>>> Sent: Thursday, September 23, 2010 9:20 AM
> >>>> To: General Red Hat Linux discussion list
> >>>> Subject: RE: User Auditing
> >>>>
> >>>> Hi Rob,
> >>>>
> >>>> I'm logging command history of every user to remote syslog server.
> >>>> It requires two steps on client side:
> >>>>
> >>>> 1) Add following function to /etc/profile:
> >>>>
> >>>> function history_to_syslog
> >>>> {
> >>>> declare command
> >>>> command=$(fc -ln -0)
> >>>> logger -p local7.notice -t bash -i -- $USER : $command } trap
> >>>> history_to_syslog DEBUG
> >>>>
> >>>> 2) Configure local syslog to resend logs to remote syslog
> >>>> (/etc/syslog-
> >>>> ng/syslog-ng.conf):
> >>>>
> >>>> # Send local messages to central syslog server
> >>>>
> >>>> filter f_filter7 { facility(local7); };
> >>>> destination d_syslog_server { udp(xxx.xxx.xxx.xxx); }; log {
> >>>> source(s_sys); filter(f_filter7); destination(d_syslog_server); };
> >>>>
> >>>> Best regards,
> >>>>
> >>>> Zbynek Vymazal
> >>>>
> >>>> -----Original Message-----
> >>>> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> >>>> bounces@redhat.com] On Behalf Of Rob DeSanno
> >>>> Sent: Thursday, September 23, 2010 15:40
> >>>> To: General Red Hat Linux discussion list
> >>>> Subject: User Auditing
> >>>>
> >>>> This should be an easy question.
> >>>>
> >>>> I use Logwatch on all of my RHEL servers and would like for it to
> >>>> also report on all commands that any user had typed when logged in
> >>>> as well.
> >>>> Something along the lines of UID: Command to give me an idea of who
> >>>> was doing what at any given period of time.
> >>>>
> >>>> I tried using snoopy but that gave me much more than I was looking
> for.
> >>>> I'm
> >>>> now playing around with psacct and logger but was curious to know
> >>>> what everyone else out there uses to monitor user activity besides
> >>>> looking into everyone history file.
> >>>>
> >>>> Thanks in advance!
> >>>> ~Rob
> >>>> --
> >>>> redhat-list mailing list
> >>>> unsubscribe mailto:redhat-list-
> >> request@redhat.com?subject=unsubscribe
> >>>> https://www.redhat.com/mailman/listinfo/redhat-list
> >>>>
> >>>> --
> >>>> redhat-list mailing list
> >>>> unsubscribe mailto:redhat-list-
> >> request@redhat.com?subject=unsubscribe
> >>>> https://www.redhat.com/mailman/listinfo/redhat-list
> >>> --
> >>> redhat-list mailing list
> >>> unsubscribe
> >>> mailto:redhat-list-request@redhat.com?subject=unsubscribe
> >>> https://www.redhat.com/mailman/listinfo/redhat-list
> >>>
> >>
> >> --
> >> redhat-list mailing list
> >> unsubscribe mailto:redhat-list-
> request@redhat.com?subject=unsubscribe
> >> https://www.redhat.com/mailman/listinfo/redhat-list
>
>
> --
> --
> George Magklaras
> Senior Systems Engineer/IT Manager
> Biotek Center, University of Oslo
> EMBnet TMPC Chair
>
> http://folk.uio.no/georgios
>
> Tel: +47 22840535
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 

Thread Tools




All times are GMT. The time now is 05:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org