[logs] Unix privileged access logging
Paul Melson
pmelson at gmail.com
Thu May 17 13:19:19 PDT 2007
> this only works until they execute a different shell: csh, tcsh, zsh,
bash, etc ...
>
> process accounting can't be escaped by the user but doesn't log arguments
to the commands; as such a
> user can easily hide nastiness in otherwise inocent commands.
>
> if you must log all root commands, enforce sudo access. by default it logs
all commands.
Granted. But then again, they *are* root. You can't stop them from
circumventing pretty much anything you do to log their activity. The goal
is to give them an environment in which their activity can be monitored for
compliance, by default, and in which they can still work productively.
If one of your root users wants to hide from your logging, it would be
trivial to spawn a shell from say vi or ftp that wouldn't appear suspicious
or provide an audit trail. But sudo is no different in that regard. At the
end of the day, if you can't trust the people that have root access on your
servers, the solution is not more logging, it's getting new people.
PaulM
More information about the LogAnalysis
mailing list