Using audit to log all users commands

m.roth at 5-cent.us m.roth at 5-cent.us
Mon Jan 11 16:26:02 UTC 2010 

> On Mon, Jan 11, 2010 at 12:50 PM,  <m.roth at 5-cent.us> wrote:
>>> Hi, this is my first message to this list and I hope that this is the
>>> correct place to post it, don't? If is not, please tell me.
>>> So, thanks in advantage.
>>>
>>> For auditing purposes, I want to log in a server all the users
>>> commands and all their arguments [0] using audit (and if is someone
>>> have a better idea, I'm all ears!)
>>> I was reading over the internet and Fedora related posts and I found
>>> [1] that the better way to log users commands, is to add a filter for
>>> the execve system call.
>> <snip>
>> You want to log all users' commands, all the time?
> Yes.
>
>> What's the point?
> It's a production server whit users running commands and I need the
> command history of everyone, for example if something goes wrong
> (beside the audition part that I need).
>
>> If you have more than a few users, there is no way you'll ever be able to
>> find anything, since you'll be buried under dozens of commands per user
>> per hour.
>> And your filesystems with the logfiles will fill up really fast, since
>> you want to log the full commands (with pathnames in them), but also the
>> audit messages.
>
> I have now more or less with 30~40 users 50~60mb per day.
> Anyway, you can rotate the log file and it has a big compression ratio.

That's not the point - you'll get logfiles that are many megs large, every
day. How do you think you'll find what you don't like?
>
>> Unless you don't trust any of your users, this is a pointless exercise
>> in pretend security.
>
> No, I can't trust in all the users, I need some extra security.

Do these users have root logins? Or do they only have sudo? If the latter,
that's already being logged in /var/log/secure. If the former, and they're
not trained admins, this is the first thing you need to change, long
before you worry about logging. NO ORDINARY USERS should *ever* have root
login.
>
> Ps: you reply only to me.
>
ARGH! I HATE MAILING LISTS THAT ARE CONFIGURED SO THAT <REPLY> DOES
*N*O*T* GO TO THE MAILING LIST.

         mark

More information about the selinux mailing list