Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Audit on specific user in linux
Special Forums Cybersecurity Audit on specific user in linux Post 302578049 by jim mcnamara on Wednesday 30th of November 2011 03:15:51 PM
Old 11-30-2011
Strong suggestion - use sudo and /etc/sudoers. Lock any direct login access.
For solaris folks reading this: use /etc/user_attr and the associated tools.

This provides you with a lot more control: you set up who can get into admin1, and lets you log everything, for example with script. If the user exits from the script process, the session ends. You can also control what those user accounts can and cannot do.
script usage in .profile :
Code:
echo "`date1 admin1 logged  in $$ "> /secure/log/file
script -a /secure/log/file
exit

This is not perfect, but is a decent start without invoking a whole lot of accounting.
There are also good keyloggers out there, but if you have someone trying to dodge security, by getting around key-logging or script, then you are crazy to have given them sudo access to admin in the first place.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

audit user activity - possible?

Hi, I have been asked if it is possible to track the last time a specific user logged in to the sysetm. checked my documentation but can't see it there - google is not being very helpful either. I wonder if someone here can help - it will be much appreciated. Thanks Suresh (1 Reply)
Discussion started by: sureshy
1 Replies

2. UNIX for Dummies Questions & Answers

Difference between : Locked User Account & Disabled User Accounts in Linux ?

Thanks AVKlinux (3 Replies)
Discussion started by: avklinux
3 Replies

3. SuSE

Audit SUSE Linux 10

Dear Team, If I want to audit SUSE linux 10, who access the file system (e.g. file or delete file) Did any know how to do it? HappyDay (3 Replies)
Discussion started by: happyday
3 Replies

4. UNIX for Advanced & Expert Users

audit user commands of different users under root account

Hi, I would like to know if there is anyway that I can pinpoint the user before/after he connects to the root? Also, I'm trying to find out what are the commands he inputs under root access. (6 Replies)
Discussion started by: pointgetter0
6 Replies

5. Solaris

Is it possible to audit a specific folder or file in Solaris ?

Hi, I wish to audit access to a specific folder or file in Solaris. I have read the man pages for auditd, audit_control , audit_event but don't seem to find any clue. Has anyone tried this before ? Is it feasible ? Any advise is appreciated. Thanks Yik (5 Replies)
Discussion started by: ycheng08
5 Replies

6. Cybersecurity

audit user in BSM/C2 Log

Hi, I keep encountering events in the BSM/C2 logs which shows that the audit-user who performed the event is the user (e.g. ongkk in the example below). However, the user is able to show me that he wasn't logged in at that time nor have the rights to perform the event (e.g. su in this example).... (5 Replies)
Discussion started by: BERNIELEE68
5 Replies

7. UNIX for Advanced & Expert Users

allow user to use sudo cp on a specific directory and only a specific file

Is there a way to allow a user to use sudo cp on a specific directory and only a specific file? (6 Replies)
Discussion started by: cokedude
6 Replies

8. AIX

When AIX audit start, How to set the /audit/stream.out file size ?

Dear All When I start the AIX(6100-06)audit subsystem. the log will save in /audit/stream.out (or /audit/trail), but in default when /audit/stream.out to grow up to 150MB. It will replace the original /audit/stream.out (or /audit/trail). Then the /audit/stream.out become empty and... (2 Replies)
Discussion started by: nnnnnnine
2 Replies

9. Red Hat

Does Red hat linux 9 has audit rpm package?

Dear All I have a old system run in Red hat Linux 9.. And if it's possible, I want to install the audit rpm package in the Red hat Linux 9. But I can't find the audit-*.rpm file in the Red hat Linux 9's CD..? Can any help me to conform Red hat Linux 9 doesn't support audit? Any... (0 Replies)
Discussion started by: nnnnnnine
0 Replies

10. Shell Programming and Scripting

Audit user activity

Need some help in coming up to log all the activity that is used with our common "unix account". Ideally I am looking for to log the activity in a "separate" file for each session or login until the user logout, I would like to capture the date/time and terminal login and record all the ... (3 Replies)
Discussion started by: rajmanna
3 Replies

LEARN ABOUT OPENDARWIN

script

SCRIPT(1)						    BSD General Commands Manual 						 SCRIPT(1)

NAME

     script -- make typescript of terminal session

SYNOPSIS

     script [-a] [-k] [-q] [-t time] [file [command ...]]

DESCRIPTION

     The script utility makes a typescript of everything printed on your terminal.  It is useful for students who need a hardcopy record of an
     interactive session as proof of an assignment, as the typescript file can be printed out later with lpr(1).

     If the argument file is given, script saves all dialogue in file.	If no file name is given, the typescript is saved in the file typescript.

     If the argument command ... is given, script will run the specified command with an optional argument vector instead of an interactive shell.

     Options:

     -a       Append the output to file or typescript, retaining the prior contents.

     -k       Log keys sent to program as well as output.

     -q       Run in quiet mode, omit the start and stop status messages.

     -t time  Specify time interval between flushing script output file.  A value of 0 causes script to flush for every character I/O event.  The
	      default interval is 30 seconds.

     The script ends when the forked shell (or command) exits (a control-D to exit the Bourne shell (sh(1)), and exit, logout or control-d (if
     ignoreeof is not set) for the C-shell, csh(1)).

     Certain interactive commands, such as vi(1), create garbage in the typescript file.  The script utility works best with commands that do not
     manipulate the screen.  The results are meant to emulate a hardcopy terminal, not an addressable one.

ENVIRONMENT

     The following environment variable is utilized by script:

     SHELL  If the variable SHELL exists, the shell forked by script will be that shell.  If SHELL is not set, the Bourne shell is assumed.  (Most
	    shells set this variable automatically).

SEE ALSO

     csh(1) (for the history mechanism).

HISTORY

     The script command appeared in 3.0BSD.

BUGS

     The script utility places everything in the log file, including linefeeds and backspaces.	This is not what the naive user expects.

     It is not possible to specify a command without also naming the script file because of argument parsing compatibility issues.

     When running in -k mode, echo cancelling is far from ideal.  The slave terminal mode is checked for ECHO mode to check when to avoid manual
     echo logging.  This does not work when in a raw mode where the program being run is doing manual echo.

BSD
								   June 6, 1993 							       BSD
All times are GMT -4. The time now is 10:03 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy