Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Log Review- SU
Special Forums Cybersecurity Log Review- SU Post 302955837 by rbatte1 on Tuesday 22nd of September 2015 07:16:22 AM
Old 09-22-2015
Our policy is that every use of su or sudo has to be explained. Just collecting the records and challenging is a good start, however I added something in to /etc/profile that tries to log all the commands too. There are certainly some flaws with it and it depends on people doing su - or su - username to run the profile and therefore be effective, but that has always been the habit here, so I got away with that.

There were various other application specific things embedded in the code but having stripped that out, I think this might still work:-
Code:
function lgcmd
{
 cur_cmd_seq=`fc -l -0 | cut -f1`
 if [ "$cur_cmd_seq" != "$prev_cmd_seq" ]
 then
    prev_cmd_seq="$cur_cmd_seq"
    /usr/bin/logger "on $PTS as `id -un`: `fc -l -0 | cut -f2-`"
 fi
}

prev_cmd_seq=                  # Set as null in case shell refuses unset variables
trap lgcmd DEBUG

You would need to determine the pseudo-terminal as $PTS but the rest gives you a fairly good trace to challenge people with.


I hope that this helps,
Robin
 

5 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Where can I review the source code?

A very n00b question: After compiling and installing software, where does the original source code reside? I'd like to study the source code of some of the ports I've installed. Thanks! :D (1 Reply)
Discussion started by: Aaron Van
1 Replies

2. Shell Programming and Scripting

Please, review script.

Hi guys, I 've been brewing this shellscript, but I can't test it until next tuesday. In the meantime I am too curious wether it will work or not, so I'd like to hear your comments. Background: I want to watch the user quota for mailboxes in various email-domains on a IMAP-server. I have... (1 Reply)
Discussion started by: algernonz
1 Replies

3. Solaris

please review this cron syntax

Dears if i want to run this job every Saturday at 6 AM that will be the code * 6 * * 1 cd /export/home/jenova ; ls -ltr >> $HOME/jenova_dir (2 Replies)
Discussion started by: jenovaux
2 Replies

4. Post Here to Contact Site Administrators and Moderators

Please review this thread wrt o/p

https://www.unix.com/unix-dummies-questions-answers/117633-top-output-specific-process-file-2.html (2 Replies)
Discussion started by: methyl
2 Replies

5. IP Networking

Netsat output-Please review

Hello, Please review the output below and suggest if you notice the parameters going out of limit. netstat -p udp udp: 382735172 datagrams received 0 incomplete headers 0 bad data length fields 0 bad checksums 12519 dropped due to no socket ... (2 Replies)
Discussion started by: Vishal_dba
2 Replies
All times are GMT -4. The time now is 03:10 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy