Re: command logging
by Steve Grubb
On Tuesday, November 08, 2011 04:09:42 PM Frank Kruchio wrote:
> Thanks Steve !
>
> These are RHEL5 U7 however what happens if they ssh in, pam_tty_audit wont
> work I think.
> Since console login is disabled we are not thinking of using pam_tty_audit
> or can you use it for ssh logins as well ?
Should work fine there.
> if not, what are the options to trac users who share user ids ?
Users can share UIDs, but just not login as that UID. They have to login with their
own unique uid and then change to the shared account. Of course a cron job won't track
the auid, though. But you can disable cron for the shared account.
-Steve
12 years, 12 months
command logging
by Frank Kruchio
We are running RHEL5 x86_64 and RHEL4 (32 and 64 bit) servers mostly at
work and management like to trac every single command a user types.
So far we used rootsh but once a user types
sudo rootsh
sudo su - oracle
the oracle user commands are not logged any more.
Is there a way to trac/record a user to see what was typed using the audit
subsystem ?
We are considering the idea now to
> /etc/securetty
to lock root logins out
The goal is to not have any shared IDs at all and all users should be
identified on what they did on the servers if necessary.
12 years, 12 months
Suppress messages from /var/log/audit.log via audit.rules
by Worsham, Michael
Does anyone have an idea on how to suppress (exclude) these entries from showing up in the audit.log on a RHEL platform? I have tried the following to no success:
type=CWD msg=audit(1316431049.130:131982948): cwd="/"
type=PATH msg=audit(1316431049.130:131982948): item=0 name="/usr/lib/vmware-tools/lib64/libdnet.so.1/tls/x86_64/libc.so.6"
type=SYSCALL msg=audit(1316431049.130:131982949): arch=c000003e syscall=2 success=no exit=-2 a0=7fffacb237a0 a1=0 a2=2abb06288000 a3=6462696c2f343662 items=1 ppid=3921 pid=3923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed" subj=system_u:system_r:initrc_t:s0 key=(null)
type=CWD msg=audit(1316431049.130:131982949): cwd="/"
type=PATH msg=audit(1316431049.130:131982949): item=0 name="/usr/lib/vmware-tools/lib64/libdnet.so.1/tls/libc.so.6"
type=SYSCALL msg=audit(1316431049.130:131982950): arch=c000003e syscall=2 success=no exit=-2 a0=7fffacb237a0 a1=0 a2=2abb06288000 a3=6462696c2f343662 items=1 ppid=3921 pid=3923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed" subj=system_u:system_r:initrc_t:s0 key=(null)
type=CWD msg=audit(1316431049.130:131982950): cwd="/"
type=PATH msg=audit(1316431049.130:131982950): item=0 name="/usr/lib/vmware-tools/lib64/libdnet.so.1/x86_64/libc.so.6"
type=SYSCALL msg=audit(1316431049.130:131982951): arch=c000003e syscall=2 success=no exit=-2 a0=7fffacb237a0 a1=0 a2=2abb06288000 a3=6462696c2f343662 items=1 ppid=3921 pid=3923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed" subj=system_u:system_r:initrc_t:s0 key=(null)
Packages installed:
redhat-release-5Server-5.7.0.3
audit-1.7.18-2.el5
selinux-policy-targeted-2.4.6-316.el5
Current rules:
## Suppress all VMware Tools system calls
-a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-ENOENT
-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-ENOENT
-a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
-a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
________________________________
CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements.
12 years, 12 months