[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: help- auditing sys admin commands



On Thursday, December 01, 2011 10:12:48 PM MS PRAVEEN wrote:
> Can some body help me here to find a rule/ solution to audit only commands
> are its arguments executed by users and  root . I dont need any more other
> events audited  since that can fill my free space .

Well, the problem is how can you tell a command being executed from a script calling 
various programs? Also how can you tell that a file being sourced is a command? (I 
think in that case a file is opened for read and the shell executes it.) I think the 
bottom line is its pretty hard to tell.

So, what we have is key stroke logging. This gets more than commands, but wouldn't you 
want to log what people do if its that important? If someone knew that only commands 
are being logged, they could start python and just start typing commands which won't 
be otherwise logged. There is a man page for this, pam_tty_audit.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]