[ale] Auditing root shells
Christopher Fowler
cfowler at outpostsentinel.com
Mon Sep 19 13:19:55 EDT 2005
It might be even possible to modify the exec() function call in the
kernel to do a printk() of all arguments. This would be noisy on the
console but will audit everything that does an exec().
On Mon, 2005-09-19 at 12:46 -0400, Michael H. Warfield wrote:
> On Mon, 2005-09-19 at 09:23 -0400, James P. Kinney III wrote:
> > There are several that write a secure log either on the current machine
> > or a remote machine. sudo is the first thing that comes to mind. Be sure
> > to disable shell access from inside sudo (sudo /bin/sh will defeat the
> > logging of sudo commands).
>
> > The name escapes me but there is a bash (may be others as well) logger
> > that support a remote "tee" process. Point this to an append-only
> > file-system on the remote system and you have a solid log of root
> > activity.
>
> > Another easy way is to make the /root directory a separate, append only
> > partition. This will put the.bash_history in append only mode.
>
> > Hmm. That may be a problem as /root needs to be on the same partition
> > as /bin and /sbin in order to login in runlevel 1 for emergency issues.
>
> > RedHat recommends to make root shell /bin/nologin and use sudo. Runlevel
> > 1 becomes impossible with out a boot disk, though.
>
> It's worth noting that this conveys the full capacity of root to that
> admin while logging as that user. This has pluses and minuses. It
> certainly improves accountability. But you are still left with the
> risks from a malicious system administrator (see the article at
> <http://peerguardian.sourceforge.net/> and check out what's going on
> with "methlabs.org"). It may also break some logging if you are
> specifically targeting "root" and not "superuser activity".
>
> If you are really REALLY serious about keeping tabs on system
> administrators, look at Sebek <http://www.honeynet.org/tools/sebek/> and
> log activity on another machine not under their control. Not sure what
> your level of need is, so this may be way over the top, but they will be
> much less able to dick with this and, if they try, their initial
> attempts would be captured even if they eventually circumvent it.
>
> Mike
>
> > On Mon, 2005-09-19 at 09:01 -0400, John Wells wrote:
> > > Guys,
> > >
> > > We have a need to capture everything an admin does while logged in as root
> > > and another power login (postgres). This is driven by a number of forces,
> > > not the least of which is Sarbanes Oxley.
> > >
> > > Are there any tried and true (and secure) auditing solutions that offer
> > > this capability?
> > >
> > > Thanks, as always.
> > >
> > > John
> > >
> > >
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://www.ale.org/mailman/listinfo/ale
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list