[ale] Auditing root shells

James P. Kinney III jkinney at localnetsolutions.com
Mon Sep 19 09:23:31 EDT 2005


There are several that write a secure log either on the current machine
or a remote machine. sudo is the first thing that comes to mind. Be sure
to disable shell access from inside sudo (sudo /bin/sh will defeat the
logging of sudo commands).

The name escapes me but there is a bash (may be others as well) logger
that support a remote "tee" process. Point this to an append-only
file-system on the remote system and you have a solid log of root
activity.

Another easy way is to make the /root directory a separate, append only
partition. This will put the.bash_history in append only mode. 

Hmm. That may be a problem as /root needs to be on the same partition
as /bin and /sbin in order to login in runlevel 1 for emergency issues.

RedHat recommends to make root shell /bin/nologin and use sudo. Runlevel
1 becomes impossible with out a boot disk, though.

On Mon, 2005-09-19 at 09:01 -0400, John Wells wrote:
> Guys,
> 
> We have a need to capture everything an admin does while logged in as root
> and another power login (postgres).  This is driven by a number of forces,
> not the least of which is Sarbanes Oxley.
> 
> Are there any tried and true (and secure) auditing solutions that offer
> this capability?
> 
> Thanks, as always.
> 
> John
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list