User monitoring In Solaris
in [Solaris]
|
From: Guildford-Unit on 27 May 2005 10:50 Hi, Have been looking at this for some time but still can not find the ideal solution. I am looking at a way to monitor all users (inc root). The ideal log file would be a time stamped file of every command issued and by what user. Would not really want the output of commands, this can be worked out after the event if needed. I have looked into BSM, however the amount of data it can produce is madness. Even a login can generate a 100 line entry, once .profile has finished being read that is !! Also BSM and openssh is not compatible. Anyone know anything that could do what I am looking for?? Running Sol 8, 9, 10 at present. Kind regards, Dom
From: Andreas F. Borchert on 27 May 2005 18:28 On 2005-05-27, Guildford-Unit <Dominic.Searle(a)gmail.com> wrote: > I am looking at a way to monitor all users (inc root). The ideal log > file would be a time stamped file of every command issued and by what > user. Do you have considered accton? See acct(1m). Andreas.
From: Matty on 27 May 2005 23:58 unixSPAM(a)zeouane.org wrote: > Guildford-Unit <Dominic.Searle(a)gmail.com> wrote: > > >>Hi, >> >>Have been looking at this for some time but still can not find the >>ideal solution. >> >>I am looking at a way to monitor all users (inc root). The ideal log >>file would be a time stamped file of every command issued and by what >>user. Would not really want the output of commands, this can be worked >>out after the event if needed. >> >>I have looked into BSM, however the amount of data it can produce is >>madness. Even a login can generate a 100 line entry, once .profile has >>finished being read that is !! Also BSM and openssh is not compatible. >> >>Anyone know anything that could do what I am looking for?? >>Running Sol 8, 9, 10 at present. > > > The only way I can think of (which probably bears no resemblence > whatsoever to the way it _can_ be done) is to have 'wrappers' for every > command, and have the wrapper write the input to a logfile, before > executing the command. Of course, root would be still be able to > execute the command, even if you stopped all other users doing so. I > considered .profile containing aliases to the wrappers, but then if the > .profile is in the users' $HOME, they'll be able to alter it at will. I > think. I don't know. My head hurts. > > Why do you want to do this? > Why not use process accounting? That can log executed commands.
From: Casper H.S. Dik on 28 May 2005 07:42 "Guildford-Unit" <Dominic.Searle(a)gmail.com> writes: >I am looking at a way to monitor all users (inc root). The ideal log >file would be a time stamped file of every command issued and by what >user. Would not really want the output of commands, this can be worked >out after the event if needed. But you would like the arguments? >I have looked into BSM, however the amount of data it can produce is >madness. Even a login can generate a 100 line entry, once .profile has >finished being read that is !! Also BSM and openssh is not compatible. Madness? BSM can be tailored to log just all the commands and not anythign else. Yes, people can execute many commands in their ~/.profile. Casper -- Expressed in this posting are my opinions. They are in no way related to opinions held by my employer, Sun Microsystems. Statements on Sun products included here are not gospel and may be fiction rather than truth.
From: Daniel Rock on 28 May 2005 11:47
Guildford-Unit <Dominic.Searle(a)gmail.com> wrote: > Also BSM and openssh is not compatible. Starting with OpenSSH 4.0p1 BSM is now supported without the need for some unofficial patches. It is still marked *EXPERIMENTAL* but worked for me so far with no problems. Just ./configure with the --with-audit=bsm parameter. -- Daniel |