[TriLUG] Logging root and DBA activities
Aaron Joyner
aaron at joyner.ws
Mon Jun 2 20:11:29 EDT 2014
Maybe I don't understand exactly what you're asking for, but this seems
simple?
1) By policy, don't allow anyone to start a root shell directly (eg. root
has no password, disallow ssh directly as root, disallow sudo -s)
2) require all commands be run through sudo
3) ship the sudo syslog data to a syslog server.
4) ...
5) Profit?
Any reason that won't cover it? The DBA situation is a bit more
complicated. You can likely achieve something similar by wrapping all
commands to the database through sudo, but the "how" will be database
dependent.
Aaron S. Joyner
On Mon, Jun 2, 2014 at 7:35 PM, William Sutton <william at trilug.org> wrote:
> one of my co-workers is using auditd. He's got it configured to the point
> where you can actually replay someone's session. I've bcc'd him in case he
> feels like shedding light on the subject.
>
> William Sutton
>
>
> On Mon, 2 Jun 2014, Matt Pusateri wrote:
>
> All,
>>
>> For compliance purposes, I need to log all actions as root or from our
>> DBA’s. We installed rootsh[1], but it leaves a lot to be desired. I found
>> Snoopy[2] but haven’t played with it yet, but it’s a little different than
>> rootsh. Anyone been using something different? I’m not opposed to a
>> commercial application within reason. I need to be able to log to a
>> central syslog server, so if it logs to syslog already that would be good.
>>
>>
>> 1. http://sourceforge.net/projects/rootsh/ yeah the website is dead, I
>> found it elsewhere can’t remember the link. We used it out of EPEL on our
>> Centos boxes.
>> 2. https://github.com/a2o/snoopy
>>
>>
>> Thanks,
>>
>> Matt P.
>> --
>> This message was sent to: William <william at trilug.org>
>>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from
>> that address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/
>> options/trilug/william%40trilug.org
>>
>> Welcome to TriLUG: http://trilug.org/welcome
>>
>
> --
> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web :
> http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
> Welcome to TriLUG: http://trilug.org/welcome
>
More information about the TriLUG
mailing list