Glynn Clements wrote:
> Hari Sekhon wrote:
>
>
>> Perhaps you could force everybody to use sudo for every command that
>> requires root privs and have automated alerting if anyone does a direct
>> root login or a sudo su or an sudo (/usr)?/bin/shell_of_your_choice type
>> thing...
>>
>> sudo does log properly and if all commands go through it, then you win.
>> This way all root commands would either be logged or you'd be alerted to
>> someone intentionally circumventing the logging by getting a full root
>> shell.
>>
>
> Looking for specific commands won't work. There are just too many
> "indirect" ways to execute a command.
>
> Even if you log everything which the user types and review those logs
> thoroughly, there are still ways to slip things past the reviewer,
> especially if the user is allowed to use interactive programs (vi,
> less, etc), or whose behaviour can be influenced by the contents of
> files (which may have changed or been removed by the time that you
> review the logs).
>
> The only mechanism which won't miss anything is logging at the syscall
> level, i.e. auditctl/auditd. Even that won't tell you everything
> that's happening (logging read() and write() would overwhelm the
> logs), but it should be enough to detect suspicious activity, and it
> cannot be bypassed in the way that logging user input or commands can.
>
True true.

So back to the other solution I mentioned which is auditing every
keystroke, input and output of every session.

But alas this is a proprietary solution.

I want an open source version of this so much...

-h

--
Hari Sekhon

[ reply ]