Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Log Review- SU
Special Forums Cybersecurity Log Review- SU Post 302955837 by rbatte1 on Tuesday 22nd of September 2015 07:16:22 AM
Old 09-22-2015
Our policy is that every use of su or sudo has to be explained. Just collecting the records and challenging is a good start, however I added something in to /etc/profile that tries to log all the commands too. There are certainly some flaws with it and it depends on people doing su - or su - username to run the profile and therefore be effective, but that has always been the habit here, so I got away with that.

There were various other application specific things embedded in the code but having stripped that out, I think this might still work:-
Code:
function lgcmd
{
 cur_cmd_seq=`fc -l -0 | cut -f1`
 if [ "$cur_cmd_seq" != "$prev_cmd_seq" ]
 then
    prev_cmd_seq="$cur_cmd_seq"
    /usr/bin/logger "on $PTS as `id -un`: `fc -l -0 | cut -f2-`"
 fi
}

prev_cmd_seq=                  # Set as null in case shell refuses unset variables
trap lgcmd DEBUG

You would need to determine the pseudo-terminal as $PTS but the rest gives you a fairly good trace to challenge people with.


I hope that this helps,
Robin
 

5 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Where can I review the source code?

A very n00b question: After compiling and installing software, where does the original source code reside? I'd like to study the source code of some of the ports I've installed. Thanks! :D (1 Reply)
Discussion started by: Aaron Van
1 Replies

2. Shell Programming and Scripting

Please, review script.

Hi guys, I 've been brewing this shellscript, but I can't test it until next tuesday. In the meantime I am too curious wether it will work or not, so I'd like to hear your comments. Background: I want to watch the user quota for mailboxes in various email-domains on a IMAP-server. I have... (1 Reply)
Discussion started by: algernonz
1 Replies

3. Solaris

please review this cron syntax

Dears if i want to run this job every Saturday at 6 AM that will be the code * 6 * * 1 cd /export/home/jenova ; ls -ltr >> $HOME/jenova_dir (2 Replies)
Discussion started by: jenovaux
2 Replies

4. Post Here to Contact Site Administrators and Moderators

Please review this thread wrt o/p

https://www.unix.com/unix-dummies-questions-answers/117633-top-output-specific-process-file-2.html (2 Replies)
Discussion started by: methyl
2 Replies

5. IP Networking

Netsat output-Please review

Hello, Please review the output below and suggest if you notice the parameters going out of limit. netstat -p udp udp: 382735172 datagrams received 0 incomplete headers 0 bad data length fields 0 bad checksums 12519 dropped due to no socket ... (2 Replies)
Discussion started by: Vishal_dba
2 Replies

LEARN ABOUT DEBIAN

audit_binfile

audit_binfile(5)					Standards, Environments, and Macros					  audit_binfile(5)

NAME

       audit_binfile - generation of Solaris audit logs

SYNOPSIS

       /usr/lib/security/audit_binfile.so

DESCRIPTION

       The  audit_binfile  plugin module for Solaris audit, /usr/lib/security/audit_binfile.so, writes binary audit data to files as configured in
       audit_control(4); it is the default plugin for the Solaris audit daemon auditd(1M). Its output is described by audit.log(4).

       The audit_binfile plugin is loaded by auditd if audit_control contains one or more lines defining audit directories by means  of  the  dir:
       specification or if audit_control has a plugin: specification of name=audit_binfile.so.

OBJECT ATTRIBUTES

       The  p_dir and p_minfree attributes are equivalent to the dir: and minfree: lines described in audit_control. If both the dir: line and the
       p_dir attribute are used, the plugin combines all directories into a single list with those specified by means of dir: at the front of  the
       list. If both the minfree and the p_minfree attributes are given, the p_minfree value is used.

EXAMPLES

       The following directives cause audit_binfile.so to be loaded, specify the directories for writing audit logs, and specify the percentage of
       required free space per directory.

       flags: lo,ad,-fm
       naflags: lo,ad
       plugin: name=audit_binfile.so;
       p_minfree=20;
       p_dir=/etc/security/jedgar/eggplant,
       /etc/security/jedgar.aux/eggplant,
       /etc/security/global/eggplant

ATTRIBUTES

       See attributes(5) for a description of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |MT Level		     |MT-Safe			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       auditd(1M), audit_control(4), syslog.conf(4), attributes(5)

SunOS 5.10							    20 May 2003 						  audit_binfile(5)
All times are GMT -4. The time now is 01:12 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy