[logs] Unix privileged access logging

Mikhail Fimin Mikhail.Fimin at quest.com
Thu May 17 01:54:17 PDT 2007 

Hi Jim,

 

Recently released (a couple of months ago) Centrify DirectAudit may help
- it looks like they just log all keyboard activity and parse command
output, then classify, store and report on that.

 

Take a look at: http://www.centrify.com/directaudit/overview.asp

The tool is not free however (costs around ~$300k per server, but I'm
not sure).

 

Here's the info from their website:

"DirectAudit's detailed logging strengthens your compliance reporting
and helps you spot suspicious activity by showing which users accessed
what systems, what commands they executed, and what changes they made to
key files and data. With DirectAudit you can also perform immediate,
in-depth troubleshooting by replaying and reporting on user activity
that may have contributed to system failures. And its real-time
monitoring of current user sessions enables you to spot suspicious
activity."

 

Michael Fimin.

 

________________________________

From: loganalysis-bounces at loganalysis.org
[mailto:loganalysis-bounces at loganalysis.org] On Behalf Of James B
Horwath
Sent: Wednesday, May 16, 2007 6:56 PM
To: loganalysis at loganalysis.org
Subject: [logs] Unix privileged access logging

 


One of the items I am struggling with right now is logging Unix
privileged commands (add/deletes/etc).  On some flavors of Unix
administrative actions are available via menus as well as the command
line.  The command menus provide no method for syslog integration and
the menus provide a convenient tool fort staff.  The native audit
subsystem produces such a large volume of data, parsing said data is not
practical.  Although sudo logs all administrative access, it seems many
admins lack the discipline to use sudo on a routine basis other than to
sudo su -.   
Are there any tool recommendations? 
Thanks in advance, 
Jim 

________________________________

This message, and any attachments to it, may contain information that is
privileged, confidential, and exempt from disclosure under applicable
law. If the reader of this message is not the intended recipient, you
are notified that any use, dissemination, distribution, copying, or
communication of this message is strictly prohibited. If you have
received this message in error, please notify the sender immediately by
return e-mail and delete the message and any attachments. Thank you. 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20070517/aa6410e9/attachment-0001.html

More information about the LogAnalysis mailing list