Re: Audit to users

 
SOLVED
Go to solution
Jorge A. Prado T.
Occasional Advisor

Audit to users

Hi,
As I can audit the activities that carries out a user?

S.O: REd Hat 7.2

Thank in advance
Jorge Prado
9 REPLIES 9
Steven E. Protter
Exalted Contributor

Re: Audit to users

What about $HOME/bash_history file?

Audit is a pretty broad term. Perhaps be specific.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Jorge A. Prado T.
Occasional Advisor

Re: Audit to users

Steven,
I need to register the activities of the users, without these they have opportunity to modify the possible logs that be generated. The histoty file is manageable by the users.
There is some tool that permit to register the commands introduced by the users?

Thank in advance.

Jorge Prado

Steven E. Protter
Exalted Contributor

Re: Audit to users

One way I'd approach that is to have a root script copy the contents of the .bash_history files to a central file periodicaly. cron can handle this.

There isn't a whole lot you can do on a system without keystrokes.

The files in the /var/log section contain a lot of what you are looking for. If you are monitoring Internet activity, you can increase the logging of the iptables firewall and get a ton of data.

I'm not aware of a built in feature in Linux like HP-UX Trusted System auditing that integrates this feature. That doesn't mean it doesn't exist.

My guess is you're going to need a third party auditing product.

I would suggest you look for one at sourceforge.net or tucows.com

I have to go home or I'd do it for you for extra points.

Regards,

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Martin P.J. Zinser
Honored Contributor

Re: Audit to users

Hello,

Stevens approach is ok if we are talking about situations where you are working with users cooperating with the audit, e.g. it is used to analyze why a particular sequence of commands is not yielding the expected result.

It is insufficient if you do need to do auditing to prevent malicious misuse, since there is plenty of opportunity for users to wipe out or alter the .bash_history between collections to a protected area (or history of another shell). You will need specialized software to do so. And there is a good possibility you will need to pay for it.

On a related note, depending on where you are there are legal privacy requirements that you should check before embarking on any monitoring down to the keystroke level.
Martin P.J. Zinser
Honored Contributor

Re: Audit to users

Hello,

Stevens approach is ok if we are talking about situations where you are working with users cooperating with the audit, e.g. it is used to analyze why a particular sequence of commands is not yielding the expected result.

It is insufficient if you do need to do auditing to prevent malicious misuse, since there is plenty of opportunity for users to wipe out or alter the .bash_history between collections to a protected area (or history of another shell). You will need specialized software to do so. And there is a good possibility you will need to pay for it.

On a related note, depending on where you are there are legal privacy requirements that you should check before embarking on any monitoring down to the keystroke level.

Greetings, Martin
Paul Cross_1
Respected Contributor

Re: Audit to users

Here is a HOWTO on linux process accounting, I can't vouch for it as I have never tried it. It also seems a bit old (2001). However, it might be a place to start
http://www.faqs.org/docs/Linux-mini/Process-Accounting.html
Thomas_18
New Member
Solution

Re: Audit to users

Install the psacct package :

psacct - Utilities for monitoring process activities.

The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa. The ac command displays statistics about how long users have been logged on. The lastcomm command displays information about previous executed commands. The accton command turns process accounting on or off. The sa command summarizes information about previously executed commmands.

Cristian Draghici
Frequent Advisor

Re: Audit to users

You could use the bash logging patch.
It modifies the history procedure so that everything written in the .bash_history file is also sent via syslog.

Look for "bash syslog" on Google.

One of the results:
http://www.nardware.co.uk/Security/html/bashlogger.htm

c
Alexander Chuzhoy
Honored Contributor

Re: Audit to users

You can also try the tripwire utility ,while configure it to track changes only for specific folders.