topic Re: Audit to users in Operating System - Linux

Audit to users

Jorge A. Prado T. — Fri, 19 Dec 2003 12:58:53 GMT

Hi,
As I can audit the activities that carries out a user?

S.O: REd Hat 7.2

Thank in advance
Jorge Prado

Re: Audit to users

Steven E. Protter — Fri, 19 Dec 2003 13:11:27 GMT

What about $HOME/bash_history file?

Audit is a pretty broad term. Perhaps be specific.

SEP

Re: Audit to users

Jorge A. Prado T. — Fri, 19 Dec 2003 13:36:44 GMT

Steven,
I need to register the activities of the users, without these they have opportunity to modify the possible logs that be generated. The histoty file is manageable by the users.
There is some tool that permit to register the commands introduced by the users?

Thank in advance.

Jorge Prado

Re: Audit to users

Steven E. Protter — Fri, 19 Dec 2003 13:43:58 GMT

One way I'd approach that is to have a root script copy the contents of the .bash_history files to a central file periodicaly. cron can handle this.

There isn't a whole lot you can do on a system without keystrokes.

The files in the /var/log section contain a lot of what you are looking for. If you are monitoring Internet activity, you can increase the logging of the iptables firewall and get a ton of data.

I'm not aware of a built in feature in Linux like HP-UX Trusted System auditing that integrates this feature. That doesn't mean it doesn't exist.

My guess is you're going to need a third party auditing product.

I would suggest you look for one at sourceforge.net or tucows.com

I have to go home or I'd do it for you for extra points.

Regards,

SEP

Re: Audit to users

Martin P.J. Zinser — Fri, 19 Dec 2003 15:34:10 GMT

Hello,

Stevens approach is ok if we are talking about situations where you are working with users cooperating with the audit, e.g. it is used to analyze why a particular sequence of commands is not yielding the expected result.

It is insufficient if you do need to do auditing to prevent malicious misuse, since there is plenty of opportunity for users to wipe out or alter the .bash_history between collections to a protected area (or history of another shell). You will need specialized software to do so. And there is a good possibility you will need to pay for it.

On a related note, depending on where you are there are legal privacy requirements that you should check before embarking on any monitoring down to the keystroke level.

Re: Audit to users

Martin P.J. Zinser — Fri, 19 Dec 2003 15:37:55 GMT

Re: Audit to users

Paul Cross_1 — Fri, 19 Dec 2003 15:40:02 GMT

Here is a HOWTO on linux process accounting, I can't vouch for it as I have never tried it. It also seems a bit old (2001). However, it might be a place to start
http://www.faqs.org/docs/Linux-mini/Process-Accounting.html

Re: Audit to users

Thomas_18 — Fri, 19 Dec 2003 19:17:34 GMT

Install the psacct package :

psacct - Utilities for monitoring process activities.

The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa. The ac command displays statistics about how long users have been logged on. The lastcomm command displays information about previous executed commands. The accton command turns process accounting on or off. The sa command summarizes information about previously executed commmands.

Re: Audit to users

Cristian Draghici — Mon, 22 Dec 2003 01:52:04 GMT

You could use the bash logging patch.
It modifies the history procedure so that everything written in the .bash_history file is also sent via syslog.

Look for "bash syslog" on Google.

One of the results:
http://www.nardware.co.uk/Security/html/bashlogger.htm

c

Re: Audit to users

Alexander Chuzhoy — Mon, 22 Dec 2003 03:37:16 GMT

You can also try the tripwire utility ,while configure it to track changes only for specific folders.