[ale] Auditing root shells

Christopher Fowler cfowler at outpostsentinel.com
Mon Sep 19 13:19:55 EDT 2005


It might be even possible to modify the exec() function call in the
kernel to do a printk() of all arguments.  This would be noisy on the
console but will audit everything that does an exec().

On Mon, 2005-09-19 at 12:46 -0400, Michael H. Warfield wrote:
> On Mon, 2005-09-19 at 09:23 -0400, James P. Kinney III wrote:
> > There are several that write a secure log either on the current machine
> > or a remote machine. sudo is the first thing that comes to mind. Be sure
> > to disable shell access from inside sudo (sudo /bin/sh will defeat the
> > logging of sudo commands).
> 
> > The name escapes me but there is a bash (may be others as well) logger
> > that support a remote "tee" process. Point this to an append-only
> > file-system on the remote system and you have a solid log of root
> > activity.
> 
> > Another easy way is to make the /root directory a separate, append only
> > partition. This will put the.bash_history in append only mode. 
> 
> > Hmm. That may be a problem as /root needs to be on the same partition
> > as /bin and /sbin in order to login in runlevel 1 for emergency issues.
> 
> > RedHat recommends to make root shell /bin/nologin and use sudo. Runlevel
> > 1 becomes impossible with out a boot disk, though.
> 
> 	It's worth noting that this conveys the full capacity of root to that
> admin while logging as that user.  This has pluses and minuses.  It
> certainly improves accountability.  But you are still left with the
> risks from a malicious system administrator (see the article at
> <http://peerguardian.sourceforge.net/> and check out what's going on
> with "methlabs.org").  It may also break some logging if you are
> specifically targeting "root" and not "superuser activity".
> 
> 	If you are really REALLY serious about keeping tabs on system
> administrators, look at Sebek <http://www.honeynet.org/tools/sebek/> and
> log activity on another machine not under their control.  Not sure what
> your level of need is, so this may be way over the top, but they will be
> much less able to dick with this and, if they try, their initial
> attempts would be captured even if they eventually circumvent it.
> 
> 	Mike
> 
> > On Mon, 2005-09-19 at 09:01 -0400, John Wells wrote:
> > > Guys,
> > > 
> > > We have a need to capture everything an admin does while logged in as root
> > > and another power login (postgres).  This is driven by a number of forces,
> > > not the least of which is Sarbanes Oxley.
> > > 
> > > Are there any tried and true (and secure) auditing solutions that offer
> > > this capability?
> > > 
> > > Thanks, as always.
> > > 
> > > John
> > > 
> > > 
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale




More information about the Ale mailing list