article in Tech
linux-unix-and-friends
Audit system use.
I don't like the idea of someone watching every command I run when I'm logged into my home linux server. However, I do think that it is very handy to log everything that happens on my firewalls and other "secure" boxes. (what machine do you own that you don't want to be "secure"?)
I've been looking for a total solution for accounting but there really isn't anything that logs enough data.
For example, process accounting is available in many of the kernels. You turn it on and the kernel records information about each of the processes that are run. This allows you to run reports on what a user has run and how much CPU time they have consumed. However, it doesn't record command line args or file changes so you can't really see what was being done. The only accounting it provides is when and what the user ran.
What I would really like to see is a system that logs each command a person runs with full detail including command line arguments. In fact, I'd like to have diffs of each file the user modified during the execution of that program. (this really isn't that practical).
For now I've settled for simply being able to login to the system and watch users. This might be useful if you really don't trust someone in your system and you'd like to watch each command they run.
# Watch a user's commands and args in tree form
watch pstree -a username
The above command just runs pstree over and over. pstree displays all the user processes owned by the user in a handy tree display with full command line details.
Another program that I've gone fond of lately is sudosh, this program records all the keystrokes and output of an interactive shell. It works a lot like a VCR, users log in and everything is recorded. Later a system administrator can log in and replay everything the user saw and typed! Pretty neat, but there were some issues with scp and sftp when I tried it.
rootsh
Linux.com :: Rootsh terminal logger keeps watch on root users
rootsh | Get rootsh at SourceForge.net - Rootsh is a wrapper for shells which logs all echoed keystrokes and terminal output to a file and/or to syslog. It's main purpose is the auditing of users who need a shell with root privileges. They start rootsh through the sudo mechanism.
Cfengine
Cfengine - adaptive configuration management.
CFEngine - configuration management via promises.
Cfengine 3 cookbook begins - Neil H Watson, Linux consultant
Neil H Watson, Linux consultant: Cfengine cookbook Archives
(R)?ex - A simple framework to simplify system administration and datacenter automation
Forensic Acquisition Utilities - includes dd,wipe,netcat and other forensic apps.
Graylog2 - Free open source self-hosted log management and exception tracking
logstash - open source log management
the logstash community cookbook - logstash cookbook
EPIPE Communications : /downtimed/ - System downtime monitoring and reporting tool
sysdig
sysdig | Home - Sysdig is open source, system-level exploration: capture system state and activity from a running Linux instance, then save, filter and analyze.
Think of it as strace + tcpdump + lsof + awesome sauce.
With a little Lua cherry on top.
Draios | Fishing for Hackers: Analysis of a Linux Server Attack - analyzing an actual attack on a server, captured entirely with sysdig.
Overview - Process Hacker open source version of the excellent sysinternals Process Explorer
Sysmon Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Created: 2005-12-24 12:30:39
Modified: 2014-12-12 22:00:35
