LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-20-2008, 08:33 AM   #1
AmdMhz
Member
 
Registered: Jan 2004
Location: Indiana
Distribution: Debian, OpenSUSE
Posts: 142

Rep: Reputation: 15
I need an Auditing solution - Please Help


I am looking for an user auditing solution for linux. I need something that will give me a report of what each user changed and what command they ran. I have been googling for different solution but have not really found one. Does anyone have any suggestions?

Thanks for the help.
 
Old 11-20-2008, 09:48 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 18,316

Rep: Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878Reputation: 3878
Quote:
Originally Posted by AmdMhz View Post
I am looking for an user auditing solution for linux. I need something that will give me a report of what each user changed and what command they ran. I have been googling for different solution but have not really found one. Does anyone have any suggestions?

Thanks for the help.
Think you'll have to go with a combination of things.

User commands/etc., are usually captured in the users home directory, in a .bash_history (or .sh_history) file. Drawback is, the user can delete/edit that file. So unless you run a scraper to move that file contents elsewhere when the user attempts a logout, you may have gaps if they know what they're doing.

Doing a 'last' command will use wtmp to show you who logged in when, from where, and for how long.

What file(s) changed is a bit harder. I've had good luck with Tripwire. It's reasonably priced, and gives you very granular reports. Fairly easy to set up, but VERY powerful.
 
Old 11-20-2008, 10:05 AM   #3
DotHQ
Member
 
Registered: Mar 2006
Location: Ohio, USA
Distribution: Red Hat, Fedora, Knoppix,
Posts: 545

Rep: Reputation: 33
I'll 2nd Tripwire for keeping track of what files have been changed / modified.

Remember if they can su to root, it is hard to tell which user's root shell changed something unless they were the only ones on at that time. Other wise you can lock them down as much as you like so that they cannot change any files that matter with permissions.
 
Old 11-20-2008, 10:05 AM   #4
AmdMhz
Member
 
Registered: Jan 2004
Location: Indiana
Distribution: Debian, OpenSUSE
Posts: 142

Original Poster
Rep: Reputation: 15
TBOne thanks for the suggestion. I will look into that. I was also looking into Snare as well. My problem is the Auditd service is not running on my system and can not be found. I have been trying to build Auditd package from source but keep coming up with errors. I am running Debian 4.0. Hopefully I can get that to work somehow.
 
Old 11-20-2008, 11:01 AM   #5
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 12,601
Blog Entries: 25

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
Hi,

I will ask as to why you need the audit? The control level of the system can be setup by the admin/root. Your normal user cannot do harm unless you allow it via su/sudoer. Normal users cannot cause to much trouble except for themselves. If for assistance/help desk means then history would be the way to go.
 
Old 11-20-2008, 11:29 AM   #6
AmdMhz
Member
 
Registered: Jan 2004
Location: Indiana
Distribution: Debian, OpenSUSE
Posts: 142

Original Poster
Rep: Reputation: 15
OneBuck

You are right. This is for Helpdesk purposes. We mainly want to see what files are being changed or deleted by each user so that when they call say we broke something we have some ground to stand on. My bosses want to be able to have accountability of who causes what. Thanks for your help.
 
Old 11-20-2008, 01:52 PM   #7
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 12,601
Blog Entries: 25

Rep: Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981Reputation: 1981
Hi,

If the problem is local to user then history will be a easier method. Your normal user will not know to delete the log(s). I hope you don't give su/sudoer rights to a normal user. The sudoer can be controlled but su you are f*cked if someone does something screwy even with suauth. Superuser/root should be god as from my point their is only one and that's the way it should be on a system.

Code:
excerpt from 'man sudo';
NAME
       sudo, sudoedit - execute a command as another user

SYNOPSIS
       sudo -K | -L | -V | -h | -k | -l | -v

       sudo [-HPSb] [-a auth_type] [-c class|-] [-p prompt] [-u username|#uid]
       {-e file [...] | -i | -s | command}

       sudoedit [-S] [-a auth_type] [-p prompt] [-u username|#uid] file [...]

DESCRIPTION
       sudo allows a permitted user to execute a command as the superuser or
       another user, as specified in the sudoers file.  The real and effective
       uid and gid are set to match those of the target user as specified in
       the passwd file and the group vector is initialized based on the group
       file (unless the -P option was specified).  If the invoking user is
       root or if the target user is the same as the invoking user, no pass-
       word is required.  Otherwise, sudo requires that users authenticate
       themselves with a password by default (NOTE: in the default configura-
       tion this is the user's password, not the root password). Once a user
       has been authenticated, a timestamp is updated and the user may then
       use sudo without a password for a short period of time (5 minutes
       unless overridden in sudoers).

       When invoked as sudoedit, the -e option (described below), is implied.

       sudo determines who is an authorized user by consulting the file
       /etc/sudoers.  By giving sudo the -v flag a user can update the time
       stamp without running a command.
Code:
NAME
       su - change user ID or become super-user

SYNOPSIS
       su [-] [username [args]]

DESCRIPTION
       su is used to become another user during a login session. Invoked with-
       out a username, su defaults to becoming the super  user.  The  optional
       argument  -  may be used to provide an environment similiar to what the
       user would expect had the user logged in directly.

       Additional arguments may be provided after the username, in which  case
       they are supplied to the user´s login shell. In particular, an argument
       of -c will cause the next argument to be treated as a command  by  most
       command  interpreters. The command will be executed by the shell speci-
       fied in /etc/passwd for the target user.

       The user will be prompted for a password, if appropriate. Invalid pass-
       words  will  produce  an  error  message.  All attempts, both valid and
       invalid, are logged to detect abuses of the system.
...

SEE ALSO
       login(1), sh(1), login.defs(5), suauth(5)
You should look at the 'man su' & 'man sudo' to get a full explanation.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Auditing Question jallen21 Linux - Security 3 12-11-2007 12:56 PM
network auditing cynthia_thomas Linux - Networking 2 10-13-2006 07:07 AM
What is Auditing support? Beezer Linux - Newbie 2 08-03-2005 09:33 PM
Auditing Services dollaz Linux - General 1 02-17-2005 04:31 PM
Network Auditing.... againstms Linux - Software 0 11-22-2004 05:17 AM


All times are GMT -5. The time now is 06:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration