[TriLUG] Logging root and DBA activities
Thomas V Thomas
thomasvt at gmail.com
Mon Jun 2 20:14:49 EDT 2014
http://www.beyondtrust.com/Products/PowerBrokerUnixLinux/
but it's commercial.
On Mon, Jun 2, 2014 at 8:11 PM, Aaron Joyner <aaron at joyner.ws> wrote:
> Maybe I don't understand exactly what you're asking for, but this seems
> simple?
> 1) By policy, don't allow anyone to start a root shell directly (eg. root
> has no password, disallow ssh directly as root, disallow sudo -s)
> 2) require all commands be run through sudo
> 3) ship the sudo syslog data to a syslog server.
> 4) ...
> 5) Profit?
>
> Any reason that won't cover it? The DBA situation is a bit more
> complicated. You can likely achieve something similar by wrapping all
> commands to the database through sudo, but the "how" will be database
> dependent.
>
> Aaron S. Joyner
>
>
> On Mon, Jun 2, 2014 at 7:35 PM, William Sutton <william at trilug.org> wrote:
>
> > one of my co-workers is using auditd. He's got it configured to the
> point
> > where you can actually replay someone's session. I've bcc'd him in case
> he
> > feels like shedding light on the subject.
> >
> > William Sutton
> >
> >
> > On Mon, 2 Jun 2014, Matt Pusateri wrote:
> >
> > All,
> >>
> >> For compliance purposes, I need to log all actions as root or from our
> >> DBA’s. We installed rootsh[1], but it leaves a lot to be desired. I
> found
> >> Snoopy[2] but haven’t played with it yet, but it’s a little different
> than
> >> rootsh. Anyone been using something different? I’m not opposed to a
> >> commercial application within reason. I need to be able to log to a
> >> central syslog server, so if it logs to syslog already that would be
> good.
> >>
> >>
> >> 1. http://sourceforge.net/projects/rootsh/ yeah the website is dead, I
> >> found it elsewhere can’t remember the link. We used it out of EPEL on
> our
> >> Centos boxes.
> >> 2. https://github.com/a2o/snoopy
> >>
> >>
> >> Thanks,
> >>
> >> Matt P.
> >> --
> >> This message was sent to: William <william at trilug.org>
> >>
> >> To unsubscribe, send a blank message to trilug-leave at trilug.org from
> >> that address.
> >> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> >> Unsubscribe or edit options on the web :
> http://www.trilug.org/mailman/
> >> options/trilug/william%40trilug.org
> >>
> >> Welcome to TriLUG: http://trilug.org/welcome
> >>
> >
> > --
> > This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that
> > address.
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web :
> > http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
> > Welcome to TriLUG: http://trilug.org/welcome
> >
> --
> This message was sent to: Thomas V Thomas <thomasvt at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web :
> http://www.trilug.org/mailman/options/trilug/thomasvt%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome
>
More information about the TriLUG
mailing list