[ale] bash commands

Shawn taaj.shawn at gmail.com
Sun May 20 21:53:00 EDT 2012 

if someone is in interactive mode it does not audit the commands.. there is
a sudoreplay program that is suppose to be able to playback a session for
you. I've never used it, not sure if it works well.. maybe someone with
experience using it can chime in?
http://www.gratisoft.us/sudo/man/1.8.2/sudoreplay.man.html

What I do on my systems is something like this to get a decent audit trail
=>

/etc/bash.bashrc:PS1='$STAFFID@\h [\w]# '
/etc/bash.bashrc:PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ;
}"'echo $$ $STAFFID \ "$(history 1)" >> /tmp/.permanent_history'
/etc/profile:STAFFID=`logname 2> /dev/null`
/etc/profile:export STAFFID

here is an example of someone typing shit in interactive mode....

staaj at professorx [~]# sudo -i
[sudo] password for staaj:
root at professorx:~# echo hi friends
hi friends
root at professorx:~# tail -2 /tmp/.permanent_history
12674 staaj   1999  [May 21 01:45:14] grep -r STAFFID /etc/bash.bashrc
/etc/profile
12674 staaj   2000  [May 21 01:46:07] echo hi friends
root at professorx:~#


all admins in my production env use bash so this is for my needs, if your
admins use other shells you would need to modify this for your world(s).








On Sun, May 20, 2012 at 7:13 PM, Damon L. Chesser <damon at damtek.com> wrote:

> On Sun, 2012-05-20 at 20:27 +0000, Shawn wrote:
> > So why even have sudo if you use -i ?
>
> Because sudo logs user foo running /usr/bin/rm -rf / or any other
> command.  If you su to root, then you will only find user foo sudo to
> root, then some time later root ran /usr/bin/rm -rf, but which of the 20
> admins logged into your server ran that command?
>
>
> > Sent via BlackBerry
> >
> > -----Original Message-----
> > From: simontek at gmail.com
> > Sender: ale-bounces at ale.org
> > Date: Sun, 20 May 2012 19:57:31
> > To: Atlanta Linux Enthusiasts<ale at ale.org>
> > Reply-To: Atlanta Linux Enthusiasts <ale at ale.org>
> > Subject: Re: [ale] bash commands
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
>
> --
> Damon
> damon at damtek.com
>
>


-- 
*- Shawn Taaj*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20120520/72a4122a/attachment.html

More information about the Ale mailing list