[ale] Auditing root shells

Christopher Fowler cfowler at outpostsentinel.com
Mon Sep 19 09:52:10 EDT 2005


I do not think that it is possible for Linux to do logging like you want
without a little work first.

One suggestion is to write a logging daemon that always runs.  
symlink /root/.bash_history -> /dev/log_daemon_pipe.
Then it writes all data from that pipe to syslog which you are remote
sysloging.

You need to figure ut how to keep the daemon up and how to get bash to
not cache history.  It needs to write to the file before it execs() any
commands.

I had a project like this and I simply just edited the shell to do all
the logging for me.  Everything was sent to the security facility of
syslog.



On Mon, 2005-09-19 at 09:40 +0000, Jeff Hubbs wrote:
> One thing that occurs to me is that if you've got to do this logging, it 
> needs to be incontrovertable or it's no good.  If it can be casually 
> switched off and on, then the logs mean nothing.
> 
> Jim's idea of making /root append-only is appealing in that regard 
> provided some workaround or, rather, "alternative standard practice" can 
> be worked out for the runlevel 1 problem.
> 
> I wouldn't be beyond patching the kernel to do the logging and 
> establishing a "chain of custody" for running kernels.  This is 
> analogous to DEC's SEVMS of olde.
> 
> Jeff
> 
> James P. Kinney III wrote:
> 
> >There are several that write a secure log either on the current machine
> >or a remote machine. sudo is the first thing that comes to mind. Be sure
> >to disable shell access from inside sudo (sudo /bin/sh will defeat the
> >logging of sudo commands).
> >
> >The name escapes me but there is a bash (may be others as well) logger
> >that support a remote "tee" process. Point this to an append-only
> >file-system on the remote system and you have a solid log of root
> >activity.
> >
> >Another easy way is to make the /root directory a separate, append only
> >partition. This will put the.bash_history in append only mode. 
> >
> >Hmm. That may be a problem as /root needs to be on the same partition
> >as /bin and /sbin in order to login in runlevel 1 for emergency issues.
> >
> >RedHat recommends to make root shell /bin/nologin and use sudo. Runlevel
> >1 becomes impossible with out a boot disk, though.
> >
> >On Mon, 2005-09-19 at 09:01 -0400, John Wells wrote:
> >  
> >
> >>Guys,
> >>
> >>We have a need to capture everything an admin does while logged in as root
> >>and another power login (postgres).  This is driven by a number of forces,
> >>not the least of which is Sarbanes Oxley.
> >>
> >>Are there any tried and true (and secure) auditing solutions that offer
> >>this capability?
> >>
> >>Thanks, as always.
> >>
> >>John
> >>
> >>
> >>_______________________________________________
> >>Ale mailing list
> >>Ale at ale.org
> >>http://www.ale.org/mailman/listinfo/ale
> >>    
> >>
> >>------------------------------------------------------------------------
> >>
> >>_______________________________________________
> >>Ale mailing list
> >>Ale at ale.org
> >>http://www.ale.org/mailman/listinfo/ale
> >>
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale




More information about the Ale mailing list