|
user auditing
So, I have some users that are saying their data is "disappearing." I'm looking for an auditing software that would show in depth reports of all commands input by users and all files touched. Can anyone make a recommendation?
Ubuntu 12.04 LTS |
Not sure of any user auditing software but I would bet my bottom dollar that this is a pebkac error with the users. You should be able to review the individual .bash_history files for the users to do a manual audit.
|
Quote:
0) The auditd service allows you to create rules to selectively log anything done by users via system call usage (not invasive if your kernel supports audit), 1) loggedfs (see example outout in the auditd missing syscalls? thread) allows you to selectively log anything done by users using FUSE (depends on FUSE), 2) Inotify allows you to watch syscall usage somewhat similar to audit, 3) There's a few Bash logging patches around (invasive: have to replace users shell with patched version), 4) Rootsh allows you to log complete users shell history including key strokes and file contents (invasive: have to replace users shell with rootsh), //*) For completeness sake long-forgotten tool eliott watched directories for files creation/deletion/writes using dnotify (but that was old school kernel 2.4 stuff). |
| All times are GMT -5. The time now is 11:27 PM. |