LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 07-10-2009, 09:34 AM   #1
mahmoud
Member
 
Registered: Apr 2006
Location: UK
Distribution: Mandriva, Debain, Redhat, Fedora, Ubuntu, FreeBSD
Posts: 269

Rep: Reputation: 30
accounting fedora


hi
does anyone know how i can turn on accounting on in fedora i want to monitor all the users commands and movement within the server.
 
Old 07-11-2009, 03:27 AM   #2
Legolas891
LQ Newbie
 
Registered: Apr 2009
Posts: 22

Rep: Reputation: 15
Quote:
Originally Posted by mahmoud View Post
hi
does anyone know how i can turn on accounting on in fedora i want to monitor all the users commands and movement within the server.
As far as I know,this is default,so any command given to the server is recorded in users directory in a file(/home/user/.bash_history)
 
Old 07-11-2009, 06:34 PM   #3
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,159

Rep: Reputation: 328Reputation: 328Reputation: 328Reputation: 328
That's not really accounting (since the .bash_history can be turned off or deleted by the user, I certainly wouldn't rely on it for anything security related). Your can use the accton command to turn on process accounting (see the man page for details).I think SELinux may have some monitoring tools too, but I'm not really up on that...
 
Old 07-12-2009, 06:34 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,699
Blog Entries: 54

Rep: Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962
The main problem with people wanting to "monitor all the users commands and movement within the server" is that they do not specify the purpose for doing that (please elaborate) and do not know that judicial implications, governing network, security and privacy policies and machine and network ownership may prohibit blindly logging everything or prohibit you from doing it. The second main problem is people expect GNU/Linux to have some sort of on/off switch to enable centralised, all-encompassing, easy-to-correlate, human-readable logging which is not the case. The third problem is that people often have no idea what goes on process-wise between userland and the kernel.

To elaborate on what was said earlier: the problem is that the DAC rights of the history file match, and the process owner writing to the history file is the same, user who executes any commands to be logged.
This makes shell history logging (and any 'script'-like kludges):
- voluntary as the user can override system-wide settings, deny writing by reconfiguring or symlinking,
- susceptible to tampering by writing into it, modifying it or deleting lines, and
- also this type of logging is inexact because it does not log timestamps by default (only more recent bash can do that).
If you need shell history logging (and this goes for all typs of logging) you should know what you need to log in terms of expected output and use a logging patch (for Bash search for "Anotatla" or see the Honeypot project) or a syslog-capable shell wrapper (Rootsh or Sudosh) .
The problem with process accounting is simply that it does not log everything. I could elaborate further but I'd rather first read the OP write in detail about the purpose.
 
Old 07-13-2009, 06:04 AM   #5
mahmoud
Member
 
Registered: Apr 2006
Location: UK
Distribution: Mandriva, Debain, Redhat, Fedora, Ubuntu, FreeBSD
Posts: 269

Original Poster
Rep: Reputation: 30
Basically i am designing our network to be PCI DSS compliance and a few of the conditions is to keep an audit off user activities on every server
i am not really bothered about the bacis commands but i do want to see if someone is copying our database dump or copying stuff they should not be
so i know the have right but also i have to meet the standards first then i can tune it.
Thanks "btmiller" for the accton will look into it.
 
Old 07-13-2009, 08:00 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,699
Blog Entries: 54

Rep: Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962
Quote:
Originally Posted by mahmoud View Post
i am not really bothered about the bacis commands but i do want to see if someone is copying our database dump or copying stuff they should not be
I wonder if design criteria like "not really bothered", "bacis commands" and "or copying stuff" are enough to have it confidently survive an audit or CC company investigation.
 
Old 07-14-2009, 07:50 AM   #7
mahmoud
Member
 
Registered: Apr 2006
Location: UK
Distribution: Mandriva, Debain, Redhat, Fedora, Ubuntu, FreeBSD
Posts: 269

Original Poster
Rep: Reputation: 30
i wish i understood what you are on about.
Can you explain yourself a bit better
 
Old 07-14-2009, 08:10 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,699
Blog Entries: 54

Rep: Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962Reputation: 2962
My comment was inspired by how you phrased what you would or wouldn't log (e.g.: lacking absolute criteria). That just made me wonder (wrt PCI-DSS 10.2.1 - 10.2.7) if what you are doing will answer the "when, who, what, where, and where from" questions that an audit or investigation may ask. Maybe you have deployed other methods already but in case you haven't and are only enabling process accounting then the answer IMHO would be "no".
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables and accounting Ammad Linux - Networking 1 11-29-2007 12:23 AM
eBay accounting RodWC General 2 07-13-2006 09:55 AM
Help with Quasar Accounting? graystarr Linux - Software 0 05-03-2006 09:16 PM
ip accounting in Fedora Pastorino Linux - Networking 2 07-08-2005 02:07 PM
Basic accounting Terrabyte5000 Programming 1 06-13-2005 05:23 PM


All times are GMT -5. The time now is 11:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration