Way to log all commands run after sudo'ing/su'ing [to "root"]
jplee3
Just wondering if OSSEC has the ability to capture all commands run
after sudo'ing or su'ing to root (or another privileged user, etc).
TIA!
oscar schneider
OSSEC itself is not capable of logging commands after sudo'ing to root
or similar. Actually it is not meant for logging itself but for log
analysis.
It only creates logs for the HIDS itself and alerts generated. Even
with process monitoring, OSSEC itself does not create the output but
runs a command and treats the output as a log.
To achieve what you are looking for, you would need to find a
mechanism that allows for recording all commands executed by root
(either general or after gaining uid=0 after executing sudo -s or su
root).
Here are some links about this topic:
http://etbe.coker.com.au/2010/06/11/logging-shell-commands/
http://sourceforge.net/projects/snoopylogger/
http://www.unix.com/security/85932-how-do-i-find-all-commands-entered-root-any-terminal.html
http://www.linuxquestions.org/questions/showthread.php?p=4063262#post4063262
http://www.issociate.de/board/post/289444/Logging_root_activity_with_syslog-ng.html
Let me know if you find something suitable.
Kind regards,
Oscar
d.as...@cgi.com
On some other systems sudosh. Both of them are easily installed.
Of the to rootsh is preferable
http://sourceforge.net/projects/rootsh/
http://sourceforge.net/projects/sudosh/
Another Dan :)
-----Message d'origine-----
De : ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] De la part de oscar schneider
Envoyé : 17 août 2010 05:29
À : ossec-list
Objet : [ossec-list] Re: Way to log all commands run after sudo'ing/su'ing [to "root"]
Hey,
Kind regards,
Oscar
Avis de confidentialité : Ce courriel et les pièces qui y sont jointes contiennent de l'information confidentielle et peuvent être protégés par le secret professionnel ou constituer de l’information privilégiée. Ils sont destinés à l'usage exclusif de la (des) personne(s) à qui ils sont adressés. Si vous n'êtes pas le destinataire visé ou la personne chargée de transmettre ce document à son destinataire, vous êtes avisé par la présente que toute divulgation, reproduction, copie, distribution ou autre utilisation de cette information est strictement interdite. Si vous avez reçu ce courriel par erreur, veuillez en aviser immédiatement l’expéditeur par téléphone ainsi que détruire et effacer l'information que vous avez reçue de tout disque dur ou autre média sur lequel elle peut être enregistrée et ne pas en conserver de copie. Merci de votre collaboration.
Notice of Confidentiality: This electronic mail message, including any attachments, is confidential and may be privileged and protected by professional secrecy. They are intended for the exclusive use of the addressee. If you are not the intended addressee or the person responsible for delivering this document to the intended addressee, you are hereby advised that any disclosure, reproduction, copy, distribution or other use of this information is strictly forbidden. If you have received this document by mistake, please immediately inform the sender by telephone, destroy and delete the information received from any hard disk or any media on which it may have been registered and do not keep any copy. Thank you for your cooperation.
Aaron
http://sourceforge.net/projects/rootsh/
We use it on all our servers and it can be very handy.
Aaron Thul
http://www.chasingnuts.com