help- auditing sys admin commands - Linux-audit - Linux-Audit List Archives

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

help- auditing sys admin commands

filter specific file from specific...

watch with -p wa catching fstat...

MS PRAVEEN

Thursday, 1 December 2011 Thu, 1 Dec '11

9:12 p.m.

Can some body help me here to find a rule/ solution to audit only commands are its arguments executed by users and root . I dont need any more other events audited since that can fill my free space . Please help me here -- Thanks & Regards, Praveen M S

Attachments:

attachment.html (text/html — 297 bytes)

Reply

Show replies by date

Steve Grubb

Friday, 2 December Fri, 2 Dec

7:48 a.m.

On Thursday, December 01, 2011 10:12:48 PM MS PRAVEEN wrote:

Can some body help me here to find a rule/ solution to audit only commands are its arguments executed by users and root . I dont need any more other events audited since that can fill my free space .

Well, the problem is how can you tell a command being executed from a script calling various programs? Also how can you tell that a file being sourced is a command? (I think in that case a file is opened for read and the shell executes it.) I think the bottom line is its pretty hard to tell. So, what we have is key stroke logging. This gets more than commands, but wouldn't you want to log what people do if its that important? If someone knew that only commands are being logged, they could start python and just start typing commands which won't be otherwise logged. There is a man page for this, pam_tty_audit. -Steve

Reply

4814

days inactive

4814

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

1 comments

2 participants

tags (0)

participants (2)

MS PRAVEEN
Steve Grubb