help- auditing sys admin commands
Steve Grubb
sgrubb at redhat.com
Fri Dec 2 13:48:37 UTC 2011
On Thursday, December 01, 2011 10:12:48 PM MS PRAVEEN wrote:
> Can some body help me here to find a rule/ solution to audit only commands
> are its arguments executed by users and root . I dont need any more other
> events audited since that can fill my free space .
Well, the problem is how can you tell a command being executed from a script calling
various programs? Also how can you tell that a file being sourced is a command? (I
think in that case a file is opened for read and the shell executes it.) I think the
bottom line is its pretty hard to tell.
So, what we have is key stroke logging. This gets more than commands, but wouldn't you
want to log what people do if its that important? If someone knew that only commands
are being logged, they could start python and just start typing commands which won't
be otherwise logged. There is a man page for this, pam_tty_audit.
-Steve
More information about the Linux-audit
mailing list