Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Jul 2011
- Sevenoaks, Kent, UK
RHEL 6.1: bash logging to rsyslogd
Over the last few days I have tried to find an effective solution for logging everything that is being typed under bash.
I have seen simple solutions where a trap is added to a /etc/profile file. However, it's not perfect for a few reasons:
- it can be easily changed/disabled by user
- last command is not logged
- there are some small glitches like when you hit enter it will log the last command, when you login log file is being filled with over 10 lines with empty commands.
Auditing has an important subject for many years... I would expect an operating system which has "Enterprise" in name to have some solution for this issue. I have tried researching available options for RHEL 6, but I couldn't find anything resonable.
I would like to get some opinions on subject. Perhaps there is a "redhat" way of implementing this functionality? If not, perhaps you can share your view on how it can be done?
Last edited by oz; 08-23-2011 at 01:00 PM. Reason: spam removal
you could use Snoopy Logger | Download Snoopy Logger software for free at SourceForge.net and/or pypty | freshmeat.net
It might be a solution for non-root users, or a part of the solution for root users if used together with selinux.
What is your use case exactly?
- Do you (maybe) teach scripting and want to review, what each of the learners did or did not type?
- Do you need to track changes from root users on live production systems ( -in a bad way: - for the purpose of fingerpointing)?
For the latter I wouldnt go the snoopy/pypty way.
As it introduces an additonal software component, that may or may not alter the behaviour of a live system.
In any case it is slower than it could be.
A more "Senior IT" approach might be:
At my workplace (several hundred machines in three datacenters) the group of sysadmins is trusted and each of us can escalate to root on any machine.
By policy (and for our own sake) we dont change anything manually. If we login, then usually for investigation purposes.
Everything needs to be maintained by a Puppet manifest,
1 ) all the machines in a group (webserver, app server, db server, etc) are equally configured
2a) the config is not only reboot-safe,
2b) but also reinstall-safe
3a ) all changes are held in a revision control system,
3b) which then can be reviewed, analyzed, rolled back as needed
This obviously also scales much better, as the changes can be seen in one place but are effective on (almost) any number of machines.
In contrast to: Trace each and every machine
Last edited by Irithori; 08-23-2011 at 11:58 AM.You must always face the curtain with a bow.