[logs] Unix privileged access logging
Jose Nazario
jose at monkey.org
Thu May 17 11:12:41 PDT 2007
On Thu, 17 May 2007, Paul Melson wrote:
> I think your best bet is to log shell commands for the root user to
> syslog. Check out:
> http://blogs.sun.com/chrisg/entry/logging_commands_in_korn_shell
this only works until they execute a different shell: csh, tcsh, zsh,
bash, etc ...
process accounting can't be escaped by the user but doesn't log arguments
to the commands; as such a user can easily hide nastiness in otherwise
inocent commands.
if you must log all root commands, enforce sudo access. by default it logs
all commands.
________
jose nazario, ph.d. jose at monkey.org
http://monkey.org/~jose/ http://monkey.org/~jose/secnews.html
http://www.wormblog.com/
More information about the LogAnalysis
mailing list