Re: command logging

To: Dan MacNeil <omacneil@brave.cs.uml.edu>
Cc: debian-isp@lists.debian.org
Subject: Re: command logging
From: Steve Suehring <dsec-nospam@braingia.org>
Date: Tue, 28 Oct 2003 22:16:23 -0600
Message-id: <[🔎] 20031029041623.GA7052@mail.braingia.org>
Mail-followup-to: Steve Suehring <dsec-nospam@braingia.org>, Dan MacNeil <omacneil@brave.cs.uml.edu>, debian-isp@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.4.44.0310282251040.12989-100000@brave.cs.uml.edu>
References: <[🔎] Pine.LNX.4.33.0310281056230.11992-100000@sawdaw.clandestino.com> <[🔎] Pine.LNX.4.44.0310282251040.12989-100000@brave.cs.uml.edu>

A couple ideas spring to mind.  The first and easiest to implement is 
process accounting.  It can be turned on within the kernel, BSD Process 
Accounting under General Setup.  The drawback there is that you don't get 
command line arguments.

Another option would be the logging that comes with something like the  
GrSecurity kernel patch.  http://www.grsecurity.net/  If you're going to 
be allowing shell access you'll probably want something like grsec 
anyway, among other things.

Hope that helps.

Steve

On Tue, Oct 28, 2003 at 10:56:53PM -0500, Dan MacNeil wrote:
> 
> For a box that will have limited shell access, I'm looking for something
> that will log all commands. The sudo log is nice but not everything is run
> through sudo.
> 
> There won't be many privacy issues as most users won't have shell.
> 
> The goal is to review a daily report for anything unexpected: stuff like:
> 
> tar -xzf rootkit.tar.gz

Reply to:

References:
- Configuring mod_ssl
  - From: <adawes@dawes.org>
- command logging
  - From: Dan MacNeil <omacneil@brave.cs.uml.edu>

Prev by Date: command logging
Next by Date: Re: command logging
Previous by thread: command logging
Next by thread: Re: command logging
Index(es):
- Date
- Thread