User Auditing

[Zbynek Vymazal]

Hi Rob,

I'm logging command history of every user to remote syslog server. It requires two steps on client side:

1) Add following function to /etc/profile:

function history_to_syslog
{
   declare command
   command=$(fc -ln -0)
   logger -p local7.notice -t bash -i -- $USER : $command
}
trap history_to_syslog DEBUG

2) Configure local syslog to resend logs to remote syslog (/etc/syslog-ng/syslog-ng.conf):

# Send local messages to central syslog server

filter f_filter7   { facility(local7); };
destination d_syslog_server { udp(xxx.xxx.xxx.xxx); };
log { source(s_sys); filter(f_filter7); destination(d_syslog_server); };

Best regards,

Zbynek Vymazal

-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com] On Behalf Of Rob DeSanno
Sent: Thursday, September 23, 2010 15:40
To: General Red Hat Linux discussion list
Subject: User Auditing

This should be an easy question.

I use Logwatch on all of my RHEL servers and would like for it to also
report on all commands that any user had typed when logged in as well.
Something along the lines of UID: Command to give me an idea of who was
doing what at any given period of time.

I tried using snoopy but that gave me much more than I was looking for. I'm
now playing around with psacct and logger but was curious to know what
everyone else out there uses to monitor user activity besides looking into
everyone history file.

Thanks in advance!
~Rob
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list