[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Mon, 19 Sep 2005 09:52:10 -0400 -->
- <!--x-from-r13: psbjyre ng bhgcbfgfragvary.pbz (Quevfgbcure Tbjyre) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] Auditing root shells -->
- <li><em>date</em>: Mon, 19 Sep 2005 09:52:10 -0400</li>
- <li><em>from</em>: cfowler at outpostsentinel.com (Christopher Fowler)</li>
- <li><em>in-reply-to</em>: <<a href="msg00414.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00407.html">[email protected]</a>> <<a href="msg00411.html">[email protected]</a>> <<a href="msg00414.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] Auditing root shells</li>
One suggestion is to write a logging daemon that always runs.
symlink /root/.bash_history -> /dev/log_daemon_pipe.
Then it writes all data from that pipe to syslog which you are remote
sysloging.
You need to figure ut how to keep the daemon up and how to get bash to
not cache history. It needs to write to the file before it execs() any
commands.
I had a project like this and I simply just edited the shell to do all
the logging for me. Everything was sent to the security facility of
syslog.
On Mon, 2005-09-19 at 09:40 +0000, Jeff Hubbs wrote:
> One thing that occurs to me is that if you've got to do this logging, it
> needs to be incontrovertable or it's no good. If it can be casually
> switched off and on, then the logs mean nothing.
>
> Jim's idea of making /root append-only is appealing in that regard
> provided some workaround or, rather, "alternative standard practice" can
> be worked out for the runlevel 1 problem.
>
> I wouldn't be beyond patching the kernel to do the logging and
> establishing a "chain of custody" for running kernels. This is
> analogous to DEC's SEVMS of olde.
>
> Jeff
>
> James P. Kinney III wrote:
>
> >There are several that write a secure log either on the current machine
> >or a remote machine. sudo is the first thing that comes to mind. Be sure
> >to disable shell access from inside sudo (sudo /bin/sh will defeat the
> >logging of sudo commands).
> >
> >The name escapes me but there is a bash (may be others as well) logger
> >that support a remote "tee" process. Point this to an append-only
> >file-system on the remote system and you have a solid log of root
> >activity.
> >
> >Another easy way is to make the /root directory a separate, append only
> >partition. This will put the.bash_history in append only mode.
> >
> >Hmm. That may be a problem as /root needs to be on the same partition
> >as /bin and /sbin in order to login in runlevel 1 for emergency issues.
> >
> >RedHat recommends to make root shell /bin/nologin and use sudo. Runlevel
> >1 becomes impossible with out a boot disk, though.
> >
> >On Mon, 2005-09-19 at 09:01 -0400, John Wells wrote:
> >
> >
> >>Guys,
> >>
> >>We have a need to capture everything an admin does while logged in as root
> >>and another power login (postgres). This is driven by a number of forces,
> >>not the least of which is Sarbanes Oxley.
> >>
> >>Are there any tried and true (and secure) auditing solutions that offer
> >>this capability?
> >>
> >>Thanks, as always.
> >>
> >>John
> >>
> >>
> >>_______________________________________________
> >>Ale mailing list
> >>Ale at ale.org
> >><a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> >>
> >>
> >>------------------------------------------------------------------------
> >>
> >>_______________________________________________
> >>Ale mailing list
> >>Ale at ale.org
> >><a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> >>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00407" href="msg00407.html">[ale] Auditing root shells</a></strong>
<ul><li><em>From:</em> jb at sourceillustrated.com (John Wells)</li></ul></li>
<li><strong><a name="00411" href="msg00411.html">[ale] Auditing root shells</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
<li><strong><a name="00414" href="msg00414.html">[ale] Auditing root shells</a></strong>
<ul><li><em>From:</em> hbbs at comcast.net (Jeff Hubbs)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00413.html">[ale] Auditing root shells</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00417.html">[ale] Auditing root shells</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00414.html">[ale] Auditing root shells</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00413.html">[ale] Auditing root shells</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00416"><strong>Date</strong></a></li>
<li><a href="threads.html#00416"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>