SecurityFocus

[logs] CanSecWest 2008 CFP (deadline Nov 30,conf Mar 26-28) and PacSec Dojo's Nov 09 2007 04:24AM
Dragos Ruiu (dr kyx net) (1 replies)

[logs] How to log - commands and file access Nov 09 2007 08:25AM
david bigot devoteam com (7 replies)

Re: [logs] How to log - commands and file access Mar 03 2008 07:24AM
Cesare (tensi mclink it)

Re: [logs] How to log - commands and file access Nov 25 2007 12:48AM
Karl Vogel (vogelke pobox com)

RE: [logs] How to log - commands and file access Nov 12 2007 11:37PM
Kurt Buff (KBuff zetron com) (1 replies)

RE: [logs] How to log - commands and file access Nov 13 2007 10:01PM
David Corlette (dcorlette novell com) (1 replies)

Re: [logs] How to log - commands and file access Nov 13 2007 11:31PM
Matt Cuttler (mcuttler bnl gov)

Re: [logs] How to log - commands and file access Nov 12 2007 02:47PM
Mike Blomgren (mike blomgren tornado se) (1 replies)

Re: [logs] How to log - commands and file access Nov 12 2007 03:15PM
david bigot devoteam com (1 replies)

Re: [logs] How to log - commands and file access Nov 13 2007 04:07AM
Anton Chuvakin (anton chuvakin org)

Re: [logs] How to log - commands and file access Nov 09 2007 08:09PM
Anton Chuvakin (anton chuvakin org) (2 replies)

Re: [logs] How to log - commands and file access Nov 10 2007 03:49PM
James B Horwath (Jim_Horwath glic com)

Re: [logs] How to log - commands and file access Nov 10 2007 02:21AM
James Turnbull (james lovedthanlost net)

Re: [logs] How to log - commands and file access Nov 09 2007 07:38PM
Vincent Bernat (bernat luffy cx)

Re: [logs] How to log - commands and file access Nov 09 2007 07:10PM
Stephen John Smoogen (smooge gmail com)

On Nov 9, 2007 1:25 AM, <david.bigot (at) devoteam (dot) com [email concealed]> wrote:
>
> Hello,
>
> I want to known for a customer, how to log automatically on UNIX and Linux
> system :
> - all commands executed (in BASH, ZSH & co ...). I know but the file
> ~/.(ba)sh_history but I prefer a global file or through syslog.
> - all file access by process and username in real-time (not static) or if
> it's not possible, which process and username access to some files (or
> directory) like /etc/shadow, /data/ ...
>

Depending on the OS and its capabilities.. you can do so through
various 'auditing' programs. For most modern Linux(s) you can
accomplish part of this via

1) lastcomm (via psacct program)
2) audit
3) creating a policy that will cover the files you want.

> Regards,
> ----------------------------------------------------------------------
> David Bigot - Consultant sécurité
> Apogée Communications - Groupe DEVOTEAM
> 86, rue Anatole France
> 92300 Levallois-Perret
> téléphone: ()1.41.49.58.04
> email: david.bigot (at) apogee-com (dot) fr [email concealed]
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>

--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]