[TriLUG] Logging root and DBA activities

Mon Jun 2 20:22:19 EDT 2014

Basically the for compliance purposes, auditors want to see that everything done with root privileges is logged for review.  And anything a DBA does, even inside the SQL client is also logged.

1. For the DBA part, they actually want to see the sql commands inside the sql client. To ensure a DBA is not making queries he shouldn’t be.  Normally users are only allowed to make queries via stored procedures….
2. if you’re going to allow sudo, then how do you prevent me from sudo vi /tmp/somefile and start as shell from vi?  
3. At points in time it’s sometimes practical to login as root at the console, not very many times, but usually when something is foobar’d.
4. Not saying that item 2 is unreasonable.  But is is really inconvenient. Especially if everyone’s path is not setup.  Then you’re always having to fully specify the path and simple things like ls’ing a directory that you don’t know the full path to but can’t shell expand becomes tedious. Of course compliance is not about productivity or convenience….

Matt P.

On Jun 2, 2014, at 8:11 PM, Aaron Joyner <aaron at joyner.ws> wrote:

> Maybe I don't understand exactly what you're asking for, but this seems
> simple?
> 1) By policy, don't allow anyone to start a root shell directly (eg. root
> has no password, disallow ssh directly as root, disallow sudo -s)
> 2) require all commands be run through sudo
> 3) ship the sudo syslog data to a syslog server.
> 4) ...
> 5) Profit?
> 
> Any reason that won't cover it?  The DBA situation is a bit more
> complicated.  You can likely achieve something similar by wrapping all
> commands to the database through sudo, but the "how" will be database
> dependent.
> 
> Aaron S. Joyner
> 
> 
> On Mon, Jun 2, 2014 at 7:35 PM, William Sutton <william at trilug.org> wrote:
> 
>> one of my co-workers is using auditd.  He's got it configured to the point
>> where you can actually replay someone's session.  I've bcc'd him in case he
>> feels like shedding light on the subject.
>> 
>> William Sutton
>> 
>> 
>> On Mon, 2 Jun 2014, Matt Pusateri wrote:
>> 
>> All,
>>> 
>>> For compliance purposes, I need to log all actions as root or from our
>>> DBA’s.  We installed rootsh[1], but it leaves a lot to be desired.  I found
>>> Snoopy[2] but haven’t played with it yet, but it’s a little different than
>>> rootsh.  Anyone been using something different?  I’m not opposed to a
>>> commercial application within reason.  I need to be able to log to a
>>> central syslog server, so if it logs to syslog already that would be good.
>>> 
>>> 
>>> 1. http://sourceforge.net/projects/rootsh/  yeah the website is dead, I
>>> found it elsewhere can’t remember the link.  We used it out of EPEL on our
>>> Centos boxes.
>>> 2. https://github.com/a2o/snoopy
>>> 
>>> 
>>> Thanks,
>>> 
>>> Matt P.
>>> --
>>> This message was sent to: William <william at trilug.org>
>>> 
>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from
>>> that address.
>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/
>>> options/trilug/william%40trilug.org
>>> 
>>> Welcome to TriLUG: http://trilug.org/welcome
>>> 
>> 
>> --
>> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
>> address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web  :
>> http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
>> Welcome to TriLUG: http://trilug.org/welcome
>> 
> -- 
> This message was sent to: M. Pusateri <mpusateri at wickedtrails.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	: http://www.trilug.org/mailman/options/trilug/mpusateri%40wickedtrails.com
> Welcome to TriLUG: http://trilug.org/welcome