[ale] Auditing root shells
James P. Kinney III
jkinney at localnetsolutions.com
Mon Sep 19 09:23:31 EDT 2005
There are several that write a secure log either on the current machine
or a remote machine. sudo is the first thing that comes to mind. Be sure
to disable shell access from inside sudo (sudo /bin/sh will defeat the
logging of sudo commands).
The name escapes me but there is a bash (may be others as well) logger
that support a remote "tee" process. Point this to an append-only
file-system on the remote system and you have a solid log of root
activity.
Another easy way is to make the /root directory a separate, append only
partition. This will put the.bash_history in append only mode.
Hmm. That may be a problem as /root needs to be on the same partition
as /bin and /sbin in order to login in runlevel 1 for emergency issues.
RedHat recommends to make root shell /bin/nologin and use sudo. Runlevel
1 becomes impossible with out a boot disk, though.
On Mon, 2005-09-19 at 09:01 -0400, John Wells wrote:
> Guys,
>
> We have a need to capture everything an admin does while logged in as root
> and another power login (postgres). This is driven by a number of forces,
> not the least of which is Sarbanes Oxley.
>
> Are there any tried and true (and secure) auditing solutions that offer
> this capability?
>
> Thanks, as always.
>
> John
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
--
James P. Kinney III \Changing the mobile computing world/
CEO & Director of Engineering \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
http://www.localnetsolutions.com
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the Ale
mailing list