[TriLUG] Logging root and DBA activities
John Broome
jbroome at gmail.com
Tue Jun 3 11:27:34 EDT 2014
Related, slightly: Does anyone have ideas for doing the same thing as OP
but on Solaris 11?
On Mon, Jun 2, 2014 at 8:28 PM, William Sutton <william at trilug.org> wrote:
> auditd can definitely allow you to watch sql commands, file edits,
> mistyped passwords... pretty much anything you could desire, and all for
> free (as in puppies).
>
>
> William Sutton
>
> On Mon, 2 Jun 2014, Matt Pusateri wrote:
>
>
>> Basically the for compliance purposes, auditors want to see that
>> everything done with root privileges is logged for review. And anything a
>> DBA does, even inside the SQL client is also logged.
>>
>>
>> 1. For the DBA part, they actually want to see the sql commands inside
>> the sql client. To ensure a DBA is not making queries he shouldn’t be.
>> Normally users are only allowed to make queries via stored procedures….
>> 2. if you’re going to allow sudo, then how do you prevent me from sudo vi
>> /tmp/somefile and start as shell from vi?
>> 3. At points in time it’s sometimes practical to login as root at the
>> console, not very many times, but usually when something is foobar’d.
>> 4. Not saying that item 2 is unreasonable. But is is really
>> inconvenient. Especially if everyone’s path is not setup. Then you’re
>> always having to fully specify the path and simple things like ls’ing a
>> directory that you don’t know the full path to but can’t shell expand
>> becomes tedious. Of course compliance is not about productivity or
>> convenience….
>>
>> Matt P.
>>
>>
>> On Jun 2, 2014, at 8:11 PM, Aaron Joyner <aaron at joyner.ws> wrote:
>>
>> Maybe I don't understand exactly what you're asking for, but this seems
>>> simple?
>>> 1) By policy, don't allow anyone to start a root shell directly (eg. root
>>> has no password, disallow ssh directly as root, disallow sudo -s)
>>> 2) require all commands be run through sudo
>>> 3) ship the sudo syslog data to a syslog server.
>>> 4) ...
>>> 5) Profit?
>>>
>>> Any reason that won't cover it? The DBA situation is a bit more
>>> complicated. You can likely achieve something similar by wrapping all
>>> commands to the database through sudo, but the "how" will be database
>>> dependent.
>>>
>>> Aaron S. Joyner
>>>
>>>
>>> On Mon, Jun 2, 2014 at 7:35 PM, William Sutton <william at trilug.org>
>>> wrote:
>>>
>>> one of my co-workers is using auditd. He's got it configured to the
>>>> point
>>>> where you can actually replay someone's session. I've bcc'd him in
>>>> case he
>>>> feels like shedding light on the subject.
>>>>
>>>> William Sutton
>>>>
>>>>
>>>> On Mon, 2 Jun 2014, Matt Pusateri wrote:
>>>>
>>>> All,
>>>>
>>>>>
>>>>> For compliance purposes, I need to log all actions as root or from our
>>>>> DBA’s. We installed rootsh[1], but it leaves a lot to be desired. I
>>>>> found
>>>>> Snoopy[2] but haven’t played with it yet, but it’s a little different
>>>>> than
>>>>> rootsh. Anyone been using something different? I’m not opposed to a
>>>>> commercial application within reason. I need to be able to log to a
>>>>> central syslog server, so if it logs to syslog already that would be
>>>>> good.
>>>>>
>>>>>
>>>>> 1. http://sourceforge.net/projects/rootsh/ yeah the website is dead,
>>>>> I
>>>>> found it elsewhere can’t remember the link. We used it out of EPEL on
>>>>> our
>>>>> Centos boxes.
>>>>> 2. https://github.com/a2o/snoopy
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Matt P.
>>>>> --
>>>>> This message was sent to: William <william at trilug.org>
>>>>>
>>>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from
>>>>> that address.
>>>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>>>> Unsubscribe or edit options on the web :
>>>>> http://www.trilug.org/mailman/
>>>>> options/trilug/william%40trilug.org
>>>>>
>>>>> Welcome to TriLUG: http://trilug.org/welcome
>>>>>
>>>>>
>>>> --
>>>> This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
>>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from
>>>> that
>>>> address.
>>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>>> Unsubscribe or edit options on the web :
>>>> http://www.trilug.org/mailman/options/trilug/aaron%40joyner.ws
>>>> Welcome to TriLUG: http://trilug.org/welcome
>>>>
>>>> --
>>> This message was sent to: M. Pusateri <mpusateri at wickedtrails.com>
>>> To unsubscribe, send a blank message to trilug-leave at trilug.org from
>>> that address.
>>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/
>>> options/trilug/mpusateri%40wickedtrails.com
>>> Welcome to TriLUG: http://trilug.org/welcome
>>>
>>
>> --
>> This message was sent to: William <william at trilug.org>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from
>> that address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web : http://www.trilug.org/mailman/
>> options/trilug/william%40trilug.org
>> Welcome to TriLUG: http://trilug.org/welcome
>>
>
> --
> This message was sent to: jbroome at gmail.com <jbroome at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web :
> http://www.trilug.org/mailman/options/trilug/jbroome%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome
>
More information about the TriLUG
mailing list