[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

Jim's idea of making /root append-only is appealing in that regard 
provided some workaround or, rather, "alternative standard practice" can 
be worked out for the runlevel 1 problem.

I wouldn't be beyond patching the kernel to do the logging and 
establishing a "chain of custody" for running kernels.  This is 
analogous to DEC's SEVMS of olde.

Jeff

James P. Kinney III wrote:

>There are several that write a secure log either on the current machine
>or a remote machine. sudo is the first thing that comes to mind. Be sure
>to disable shell access from inside sudo (sudo /bin/sh will defeat the
>logging of sudo commands).
>
>The name escapes me but there is a bash (may be others as well) logger
>that support a remote "tee" process. Point this to an append-only
>file-system on the remote system and you have a solid log of root
>activity.
>
>Another easy way is to make the /root directory a separate, append only
>partition. This will put the.bash_history in append only mode. 
>
>Hmm. That may be a problem as /root needs to be on the same partition
>as /bin and /sbin in order to login in runlevel 1 for emergency issues.
>
>RedHat recommends to make root shell /bin/nologin and use sudo. Runlevel
>1 becomes impossible with out a boot disk, though.
>
>On Mon, 2005-09-19 at 09:01 -0400, John Wells wrote:
>  
>
>>Guys,
>>
>>We have a need to capture everything an admin does while logged in as root
>>and another power login (postgres).  This is driven by a number of forces,
>>not the least of which is Sarbanes Oxley.
>>
>>Are there any tried and true (and secure) auditing solutions that offer
>>this capability?
>>
>>Thanks, as always.
>>
>>John
>>
>>
>>_______________________________________________
>>Ale mailing list
>>Ale at ale.org
&gt;&gt;<a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
&gt;&gt;    
&gt;&gt;
&gt;&gt;------------------------------------------------------------------------
&gt;&gt;
&gt;&gt;_______________________________________________
&gt;&gt;Ale mailing list
&gt;&gt;Ale at ale.org
&gt;&gt;<a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
&gt;&gt;



</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<ul><li><strong>Follow-Ups</strong>:
<ul>
<li><strong><a name="00416" href="msg00416.html">[ale] Auditing root shells</a></strong>
<ul><li><em>From:</em> cfowler at outpostsentinel.com (Christopher Fowler)</li></ul></li>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00407" href="msg00407.html">[ale] Auditing root shells</a></strong>
<ul><li><em>From:</em> jb at sourceillustrated.com (John Wells)</li></ul></li>
<li><strong><a name="00411" href="msg00411.html">[ale] Auditing root shells</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00406.html">[ale] hald</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00407.html">[ale] Auditing root shells</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00411.html">[ale] Auditing root shells</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00416.html">[ale] Auditing root shells</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00414"><strong>Date</strong></a></li>
<li><a href="threads.html#00414"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>