LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-09-2007, 03:04 PM   #1
jviola
Member
 
Registered: May 2004
Posts: 47

Rep: Reputation: 15
sending alerts when a command is used


Is there a way to send an alert to an email address every time some uses a certain command. Example if some tries to vi a file. Well, guess I'd like to be able to choose any command I want. Also, can a log be kept everytime someone accesses a file or writes to it? If so, how do you do it?

Thanks,
Jeff

Last edited by jviola; 02-09-2007 at 03:05 PM.
 
Old 02-09-2007, 03:27 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
What you are trying to accomplish and why? Is there a specific need for doing this? Are you bound by any limitations or can you do about anything to make solutions work? Is the machine hardened? Are we talking local or remote users? Certain users or all? Are we talking about a single machine or do you have a central syslog server?
 
Old 02-09-2007, 03:45 PM   #3
jviola
Member
 
Registered: May 2004
Posts: 47

Original Poster
Rep: Reputation: 15
Logging access and sending alerts

We have 1 linux server that the user's (approximately 123 users) connect to it by using a telnet session. The application writes to a flat file database. We think we have the server locked down so that the users can't get to the shell. We need to be able to track If they do get to the shell what commands they have used and if they have accessed any files. We have 4 administrators that have shell access and can get to these files. We would like and email alert to be sent if/when they access any of these files.

This is a RH Enterprise 4.0 server.

Sorbane Oxy..... request.

Thanks,
 
Old 02-09-2007, 05:53 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
OK, so you got hit by the SOX section 404 thing, right? Bummer...

First thing I would suggest is look around for SOX toolkits to help you achieve compliance. Make sure you know *exactly* what you need to do (and do share that information if you care).

Second thing I'd suggest is figuring out the impact of damage a user can do. Not so much wrt the system but wrt to the data (verification, retention). You probably have to provide proof showing you can test and maintain integrity. Then figure out impact of damage on the system. If it's untolerable and 0) the box already runs SELinux and 1) the box runs only that application (meaning it's not Swiss cheese application or daemon-wise) you could decide to run the "strict" SELinux policy. That isn't a decision you can turn a knob for (writing and testing iterations) but you have a real assurance nobody, including root, can do more damage than those rules allow for. Note there's one thing more fascist than "strict" and that's MLS. It's more geared towards those that work with (near-) EAL/CAPP grade systems. You don't need that. If you would, you'd already know ;-p


Wrt accountability wrt your questions there's two ways IMHO:
- either you allow shell access so users can choose to run the application or you
- replace the shell with a wrapper that execs the application.
Personally I would choose for execing because then (unless the application itself allows for users to exec a subprocess) the user has no foothold on the system and access is gone when the application exits.
If for some obscure reason you are bound to provide shell access then you (next to what PAM already governs)
- need to run a login shell that allows for logging like rootsh (or sudosh),
- configure the shell to log to syslog *and*
- syslog to a remote syslog server to assure you have untaintable logs.
Rootsh can also log to separate session files but I guess that isn't a scalable solution if you are going to scale up. Running SELinux with the "strict" policy also means users will be bound by specific rules governing what resources they are allowed to access. Since access means really *everything* this covers writes as well.
Wrt alerting I think email is the worst thing to do if you're gonna shepard multiple servers. Instead you should use something like a central management station that polls resources like the syslog server. Note this all kind of hinges on you being able to implement SELinux with the "strict" policy. If you can't do that all isn't lost but to stand a chance I'd exhaust all methods of warfare at your disposal before looking at other options...

HTH

Last edited by unSpawn; 02-09-2007 at 05:54 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there a command that alerts when a directory/file changes? davee Linux - General 1 09-19-2005 08:46 AM
reply alerts mufy LQ Suggestions & Feedback 2 01-04-2005 06:56 AM
Mail alerts DrewB Linux - Newbie 6 10-21-2004 07:59 PM
What to use for alerts?! mdktechie Linux - Software 1 10-30-2003 11:49 AM
Security Alerts jeremy Linux - Security 0 06-27-2001 08:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration