banner
Dave Horner's Website - Yet another perspective on things...
Home Tech Talk Unix/Linux/BSD/OSX/ETC Audit system use.
If you appreciate the information found on this website, please drop me a line!

Who's Online

We have 21 guests online
Content View Hits : 1157162
moon and stars

More from me...

My brain

-=The Visible Dave Project=-
How did you find my site?
 
How often do you answer random online questions?
 

Random Quote

“All I know is I know nothing.” --Blaise PASCAL — 1623-1662
P1010010
P1010011_001
Zoo_2007_025
P1010033

Audit system use.

Saturday, 24 December 2005 07:30
I don't like the idea of someone watching every command I run when I'm logged into my home linux server.  However, I do think that it is very handy to log everything that happens on my firewalls and other "secure" boxes.

I've been looking for a total solution for accounting but there really isn't anything that logs enough data.

For example, process accounting is available in many of the kernels.  You turn it on and the kernel records information about each of the processes that are run.  This allows you to run reports on what a user has run and how much CPU time they have consumed.  However, it doesn't record command line args or file changes so you can't really see what was being done.  The only accounting it provides is when and what the user ran.

What I would really like to see is a system that logs each command a person runs with full detail including command line arguments.  In fact, I'd like to have diffs of each file the user modified during the execution of that program.  (this really isn't that practical).

For now I've settled for simply being able to login to the system and watch users.  This might be useful if you really don't trust someone in your system and you'd like to watch each command they run.

# Watch a user's commands and args in tree form
watch pstree -a username

The above command just runs pstree over and over.  pstree displays all the user processes owned by the user in a handy tree display with full command line details.

Another program that I've gone fond of lately is sudosh, this program records all the keystrokes and output of an interactive shell.  It works a lot like a VCR, users log in and everything is recorded.  Later a system administrator can log in and replay everything the user saw and typed!  Pretty neat, but there were some issues with scp and sftp when I tried it.

rootsh

Linux.com :: Rootsh terminal logger keeps watch on root users
rootsh | Get rootsh at SourceForge.net - Rootsh is a wrapper for shells which logs all echoed keystrokes and terminal output to a file and/or to syslog. It's main purpose is the auditing of users who need a shell with root privileges. They start rootsh through the sudo mechanism.


Cfengine - adaptive configuration management.
Forensic Acquisition Utilities - includes dd,wipe,netcat and other forensic apps.
Graylog2 - Free open source self-hosted log management and exception tracking
Last Updated on Thursday, 17 November 2011 09:18