On Mon, Jan 11, 2010 at 12:50 PM, m.roth@5-cent.us wrote:
Hi, this is my first message to this list and I hope that this is the correct place to post it, don't? If is not, please tell me. So, thanks in advantage.
For auditing purposes, I want to log in a server all the users commands and all their arguments [0] using audit (and if is someone have a better idea, I'm all ears!) I was reading over the internet and Fedora related posts and I found [1] that the better way to log users commands, is to add a filter for the execve system call.
<snip> You want to log all users' commands, all the time?
Yes.
What's the point?
It's a production server whit users running commands and I need the command history of everyone, for example if something goes wrong (beside the audition part that I need).
If you have more than a few users, there is no way you'll ever be able to find anything, since you'll be buried under dozens of commands per user per hour. And your filesystems with the logfiles will fill up really fast, since you want to log the full commands (with pathnames in them), but also the audit messages.
I have now more or less with 30~40 users 50~60mb per day. Anyway, you can rotate the log file and it has a big compression ratio.
That's not the point - you'll get logfiles that are many megs large, every day. How do you think you'll find what you don't like?
Unless you don't trust any of your users, this is a pointless exercise in pretend security.
No, I can't trust in all the users, I need some extra security.
Do these users have root logins? Or do they only have sudo? If the latter, that's already being logged in /var/log/secure. If the former, and they're not trained admins, this is the first thing you need to change, long before you worry about logging. NO ORDINARY USERS should *ever* have root login.
Ps: you reply only to me.
ARGH! I HATE MAILING LISTS THAT ARE CONFIGURED SO THAT <REPLY> DOES *N*O*T* GO TO THE MAILING LIST.
mark