Focus on Linux
root shell auditing Jul 28 2008 01:34PM
Mars Gobetti (erresei6 libero it) (6 replies)
Re: root shell auditing Jul 30 2008 04:34PM
JW (jw mailsw com)
RE: root shell auditing Jul 30 2008 11:15AM
THORNTON Simon (Simon THORNTON swift com)
Re: root shell auditing Jul 29 2008 02:11PM
Diego Lacerda (diegolacerda gmail com) (1 replies)
Re: root shell auditing Jul 31 2008 09:24AM
Hari Sekhon (hpsekhon googlemail com) (2 replies)
Re: root shell auditing Aug 04 2008 01:09PM
Marian Rudzynski (mr impaled org) (1 replies)
Re: root shell auditing Aug 04 2008 01:30PM
Hari Sekhon (hpsekhon googlemail com) (1 replies)
Re: root shell auditing Aug 05 2008 05:18PM
Glynn Clements (glynn gclements plus com) (1 replies)
Re: root shell auditing Aug 06 2008 08:10AM
Hari Sekhon (hpsekhon googlemail com)
Re: root shell auditing Aug 04 2008 10:46AM
Philip Turner (p turner newman ac uk) (1 replies)
Re: root shell auditing Aug 05 2008 02:01PM
Hari Sekhon (hpsekhon googlemail com)
Re: root shell auditing Jul 29 2008 10:01AM
TJ Easter (tjeaster gmail com) (2 replies)
Re: root shell auditing Jul 31 2008 08:54AM
Hari Sekhon (hpsekhon googlemail com)
RE: root shell auditing Jul 30 2008 07:28AM
Dan Hanman (dan hanman regencyitc co uk)
Re: root shell auditing Jul 29 2008 09:07AM
Huzeyfe ONAL(Gmail) (huzeyfe onal gmail com)
Re: root shell auditing Jul 29 2008 09:07AM
Tim Brown (tmb 65535 com)
On Monday 28 July 2008 14:34:12 Mars Gobetti wrote:
> In an effort to comply with iso 27001, Webtrust and other security
> certifications I need to audit root shell usage on many linux servers:
> every bash command entered in the shell ,with timestamps, and possibly
> logging to a remote server. Which is the best (enterprise class) way to do
> that?
>
> Currently in our environment administrators get root shell access using
> sudo -i. Do I need to change this? I've seen around sudosh (wich do the job
> locally), then Enterprise Audit Shell, but it seems to me this projects are
> not active any more. Will Free IPA be an answer?
>
> Thank you,
>
> Mars Gobetti

I've deployed eTrust AC on large Unix estates for this purpose. Like sudo but
rules are enforced at the kernel level. Auditing can be applied to many
object classes including files, services, privileges etc. Combine it with
eTrust Audit and you can aggregate logs and perform correlation etc. It is
however quite expensive.

Cheers,
Tim
--
Tim Brown
<mailto:tmb (at) 65535 (dot) com [email concealed]>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus