[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Mon, 19 Sep 2005 13:19:55 -0400 -->
- <!--x-from-r13: psbjyre ng bhgcbfgfragvary.pbz (Quevfgbcure Tbjyre) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] Auditing root shells -->
- <li><em>date</em>: Mon, 19 Sep 2005 13:19:55 -0400</li>
- <li><em>from</em>: cfowler at outpostsentinel.com (Christopher Fowler)</li>
- <li><em>in-reply-to</em>: <<a href="msg00427.html">[email protected]</a>></li>
- <li><em>references</em>: <<a href="msg00407.html">[email protected]</a>> <<a href="msg00411.html">[email protected]</a>> <<a href="msg00427.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] Auditing root shells</li>
On Mon, 2005-09-19 at 12:46 -0400, Michael H. Warfield wrote:
> On Mon, 2005-09-19 at 09:23 -0400, James P. Kinney III wrote:
> > There are several that write a secure log either on the current machine
> > or a remote machine. sudo is the first thing that comes to mind. Be sure
> > to disable shell access from inside sudo (sudo /bin/sh will defeat the
> > logging of sudo commands).
>
> > The name escapes me but there is a bash (may be others as well) logger
> > that support a remote "tee" process. Point this to an append-only
> > file-system on the remote system and you have a solid log of root
> > activity.
>
> > Another easy way is to make the /root directory a separate, append only
> > partition. This will put the.bash_history in append only mode.
>
> > Hmm. That may be a problem as /root needs to be on the same partition
> > as /bin and /sbin in order to login in runlevel 1 for emergency issues.
>
> > RedHat recommends to make root shell /bin/nologin and use sudo. Runlevel
> > 1 becomes impossible with out a boot disk, though.
>
> It's worth noting that this conveys the full capacity of root to that
> admin while logging as that user. This has pluses and minuses. It
> certainly improves accountability. But you are still left with the
> risks from a malicious system administrator (see the article at
> <<a rel="nofollow" href="http://peerguardian.sourceforge.net/";>http://peerguardian.sourceforge.net/</a>> and check out what's going on
> with "methlabs.org"). It may also break some logging if you are
> specifically targeting "root" and not "superuser activity".
>
> If you are really REALLY serious about keeping tabs on system
> administrators, look at Sebek <<a rel="nofollow" href="http://www.honeynet.org/tools/sebek/";>http://www.honeynet.org/tools/sebek/</a>> and
> log activity on another machine not under their control. Not sure what
> your level of need is, so this may be way over the top, but they will be
> much less able to dick with this and, if they try, their initial
> attempts would be captured even if they eventually circumvent it.
>
> Mike
>
> > On Mon, 2005-09-19 at 09:01 -0400, John Wells wrote:
> > > Guys,
> > >
> > > We have a need to capture everything an admin does while logged in as root
> > > and another power login (postgres). This is driven by a number of forces,
> > > not the least of which is Sarbanes Oxley.
> > >
> > > Are there any tried and true (and secure) auditing solutions that offer
> > > this capability?
> > >
> > > Thanks, as always.
> > >
> > > John
> > >
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00407" href="msg00407.html">[ale] Auditing root shells</a></strong>
<ul><li><em>From:</em> jb at sourceillustrated.com (John Wells)</li></ul></li>
<li><strong><a name="00411" href="msg00411.html">[ale] Auditing root shells</a></strong>
<ul><li><em>From:</em> jkinney at localnetsolutions.com (James P. Kinney III)</li></ul></li>
<li><strong><a name="00427" href="msg00427.html">[ale] Auditing root shells</a></strong>
<ul><li><em>From:</em> mhw at wittsend.com (Michael H. Warfield)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00428.html">[ale] Auditing root shells</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00430.html">[ale] Sync a Palm Tungsten T5 with Linux</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00427.html">[ale] Auditing root shells</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00417.html">[ale] Auditing root shells</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00429"><strong>Date</strong></a></li>
<li><a href="threads.html#00429"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>