[ale] Auditing root shells

Jeff Hubbs hbbs at comcast.net
Mon Sep 19 05:40:16 EDT 2005


One thing that occurs to me is that if you've got to do this logging, it 
needs to be incontrovertable or it's no good.  If it can be casually 
switched off and on, then the logs mean nothing.

Jim's idea of making /root append-only is appealing in that regard 
provided some workaround or, rather, "alternative standard practice" can 
be worked out for the runlevel 1 problem.

I wouldn't be beyond patching the kernel to do the logging and 
establishing a "chain of custody" for running kernels.  This is 
analogous to DEC's SEVMS of olde.

Jeff

James P. Kinney III wrote:

>There are several that write a secure log either on the current machine
>or a remote machine. sudo is the first thing that comes to mind. Be sure
>to disable shell access from inside sudo (sudo /bin/sh will defeat the
>logging of sudo commands).
>
>The name escapes me but there is a bash (may be others as well) logger
>that support a remote "tee" process. Point this to an append-only
>file-system on the remote system and you have a solid log of root
>activity.
>
>Another easy way is to make the /root directory a separate, append only
>partition. This will put the.bash_history in append only mode. 
>
>Hmm. That may be a problem as /root needs to be on the same partition
>as /bin and /sbin in order to login in runlevel 1 for emergency issues.
>
>RedHat recommends to make root shell /bin/nologin and use sudo. Runlevel
>1 becomes impossible with out a boot disk, though.
>
>On Mon, 2005-09-19 at 09:01 -0400, John Wells wrote:
>  
>
>>Guys,
>>
>>We have a need to capture everything an admin does while logged in as root
>>and another power login (postgres).  This is driven by a number of forces,
>>not the least of which is Sarbanes Oxley.
>>
>>Are there any tried and true (and secure) auditing solutions that offer
>>this capability?
>>
>>Thanks, as always.
>>
>>John
>>
>>
>>_______________________________________________
>>Ale mailing list
>>Ale at ale.org
>>http://www.ale.org/mailman/listinfo/ale
>>    
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>Ale mailing list
>>Ale at ale.org
>>http://www.ale.org/mailman/listinfo/ale
>>




More information about the Ale mailing list