users logs

George Magklaras georgios at biotek.uio.no
Thu Jun 11 07:46:38 UTC 2009 

A suitably configure execve log wrapper will log all commands executed 
by the user, including clever ways to script/encapsulate commands in 
editor sessions. What it will not do however is to show what exactly 
happens to the files. For that we are building (University of Plymouth) 
a new engine.

GM

Marti, Rob wrote:
> My problem with many of the attempts at logging the commands a user runs (and I havn't looked at yours George, so if yours does this then ignore me :) is they don't take things like vim into account.  If you vim a file, you can launch a shell from within that vim session and not have any of the normal logging process.  The bash auditing that RH set up for RHEL5 logs every keystroke, in and out of vim, etc.
> 
> Now, I'm not saying that I'd peruse these logs daily.  They'd only be of any use after the fact on any system that gets any real use.  And, to make sure that none of the data is corrupted remote logging is required.
> 
> Rob Marti
> 
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com] On Behalf Of George Magklaras
> Sent: Wednesday, June 10, 2009 8:01 AM
> To: General Red Hat Linux discussion list
> Subject: Re: users logs
> 
> I have read your request and followed a bit the rather long thread. One 
> way to tackle this issue, addressing the bad folk within and beyond is 
> to use an execve logger. You might find my MPhil thesis interesting:
> 
> http://folk.uio.no/georgios/papers/magklarasmphilthesis.pdf
> 
> Page 202 of the Appendix contains sample code employing an execve 
> logging wrapper. What this does is to give you all the commands execv-ed 
> per user ID and dump them via syslogd to a suitable location. Collecting 
> shell history files is not a good idea because it might omit important 
> info and a simple text file is easily erasable by someone who is serious 
> about covering his tracks. A log wrapper is not immune to a skilled 
> attacker determined to cover his/her tracks but it is more difficult to 
> circumvent. This should give you commands and arguments.
> 
> Be warned however that on a very busy system, this can I/O starve your 
> machine. In fact, I am re-writing the wrapper calls to address these issues.
> 
> Hope this helps.
> 

-- 
--
George Magklaras BSc Hons MPhil
RHCE:805008309135525

Senior Computer Systems Engineer/UNIX-Linux Systems Administrator
EMBnet Technical Management Board
The Biotechnology Centre of Oslo,
University of Oslo
http://folk.uio.no/georgios

Tel: +47-22840535

--

More information about the redhat-list mailing list