[ale] Auditing root shells

Michael H. Warfield mhw at wittsend.com
Mon Sep 19 12:46:54 EDT 2005 

On Mon, 2005-09-19 at 09:23 -0400, James P. Kinney III wrote:
> There are several that write a secure log either on the current machine
> or a remote machine. sudo is the first thing that comes to mind. Be sure
> to disable shell access from inside sudo (sudo /bin/sh will defeat the
> logging of sudo commands).

> The name escapes me but there is a bash (may be others as well) logger
> that support a remote "tee" process. Point this to an append-only
> file-system on the remote system and you have a solid log of root
> activity.

> Another easy way is to make the /root directory a separate, append only
> partition. This will put the.bash_history in append only mode. 

> Hmm. That may be a problem as /root needs to be on the same partition
> as /bin and /sbin in order to login in runlevel 1 for emergency issues.

> RedHat recommends to make root shell /bin/nologin and use sudo. Runlevel
> 1 becomes impossible with out a boot disk, though.

	It's worth noting that this conveys the full capacity of root to that
admin while logging as that user.  This has pluses and minuses.  It
certainly improves accountability.  But you are still left with the
risks from a malicious system administrator (see the article at
<http://peerguardian.sourceforge.net/> and check out what's going on
with "methlabs.org").  It may also break some logging if you are
specifically targeting "root" and not "superuser activity".

	If you are really REALLY serious about keeping tabs on system
administrators, look at Sebek <http://www.honeynet.org/tools/sebek/> and
log activity on another machine not under their control.  Not sure what
your level of need is, so this may be way over the top, but they will be
much less able to dick with this and, if they try, their initial
attempts would be captured even if they eventually circumvent it.

	Mike

> On Mon, 2005-09-19 at 09:01 -0400, John Wells wrote:
> > Guys,
> > 
> > We have a need to capture everything an admin does while logged in as root
> > and another power login (postgres).  This is driven by a number of forces,
> > not the least of which is Sarbanes Oxley.
> > 
> > Are there any tried and true (and secure) auditing solutions that offer
> > this capability?
> > 
> > Thanks, as always.
> > 
> > John
> > 
> > 
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com  
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part

More information about the Ale mailing list