Auditing - Logging all commands and arguments

I want to increase my security and auditing on some systems by adding full logging of every command and all arguments to every command that is typed on any shell used on the system.

I have used sa before this only logs the command program, not the arguments which makes all the difference. Also, I'm not sure it will catch shell built-ins or people truncating files like so "> filename".

I have used snoopy before which I liked and seemed to work quite well although it does not seem to be supported any more since 2004 looking at the sourceforge site. Since this uses execve I'm not sure this will catch shell built-ins either in fact, and nor am I sure about packages/maintainability of doing this, but then considering it has not been updated in 3.5 years I doubt updates will be a problem... (of course this raises issues about security or bugs discovered in it if not maintained).

I've also found sudosh on google but this seems to be an imperfect approach since it requires giving people an alternate shell through sudo. What happens when logging all commands but one command is just "bash" and everything inside that command is a black box?

Ideally I'd like whatever auditing solution I implement to be shell neutral.

Sudo itself if completely inadequate because people "sudo su" and it would be difficult if not impossible to grant people access to only specific commands.


So what do you use for complete command auditing/logging?

I run GRSec (grsecurity) on all my servers. Here is a snippet of the feature list that might be relevant for you:

- Option to specify single group to audit
- Exec logging with arguments
- Denied resource logging
- Chdir logging
- Mount and unmount logging
- IPC creation/removal logging
- Signal logging
- Failed fork logging
- Time change logging

An entry in the file looks like this:
Dec 24 21:22:53 hostname grsec: exec of /bin/rm (rm testfile ) by /bin/bash[bash:10482] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:10476] uid/euid:0/0 gid/egid:0/0

This should cover everything you want -- besides the shell built-ins stuff.

yes I actually have grsec on a few servers, but it's logging is so massive that it's actually quite difficult to handle...

I have for example on one server, just chdir logging and this provides tonnes of logging on a hardly used server.

Imagine if you turned on full logging on all those things you mentioned... it could kill a server's disk space in a day. You couldn't even keep/manage the logs, you'd need a massive logserver, which would be expensive and difficult to manage because of the sheer size. Now multiply this by 50x for a relatively small environment. How the heck could you deal with that?!

The other problem is that it doesn't really catch shell built-in logging, so somebody could truncate a critical system file and you'd never find out who...

Otherwise I really like GrSecurity...

You can try snoopy for lightweight solution. Here (sorry, still can't post urls):
https :// sourceforge.net/projects/snoopylogger/

Thread is well over 2 years old, locking...