Visit Our UNIX and Linux User Community

Full Discussion: Log Review- SU
Special Forums Cybersecurity Log Review- SU Post 302955837 by rbatte1 on Tuesday 22nd of September 2015 07:16:22 AM
Old 09-22-2015
Our policy is that every use of su or sudo has to be explained. Just collecting the records and challenging is a good start, however I added something in to /etc/profile that tries to log all the commands too. There are certainly some flaws with it and it depends on people doing su - or su - username to run the profile and therefore be effective, but that has always been the habit here, so I got away with that.

There were various other application specific things embedded in the code but having stripped that out, I think this might still work:-
Code:
function lgcmd
{
 cur_cmd_seq=`fc -l -0 | cut -f1`
 if [ "$cur_cmd_seq" != "$prev_cmd_seq" ]
 then
    prev_cmd_seq="$cur_cmd_seq"
    /usr/bin/logger "on $PTS as `id -un`: `fc -l -0 | cut -f2-`"
 fi
}

prev_cmd_seq=                  # Set as null in case shell refuses unset variables
trap lgcmd DEBUG

You would need to determine the pseudo-terminal as $PTS but the rest gives you a fairly good trace to challenge people with.


I hope that this helps,
Robin
 
Test Your Knowledge in Computers #128
Difficulty: Easy
Generally speaking, most of the software included in a Linux distro is free and open source.
True or False?

5 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Where can I review the source code?

A very n00b question: After compiling and installing software, where does the original source code reside? I'd like to study the source code of some of the ports I've installed. Thanks! :D (1 Reply)
Discussion started by: Aaron Van
1 Replies

2. Shell Programming and Scripting

Please, review script.

Hi guys, I 've been brewing this shellscript, but I can't test it until next tuesday. In the meantime I am too curious wether it will work or not, so I'd like to hear your comments. Background: I want to watch the user quota for mailboxes in various email-domains on a IMAP-server. I have... (1 Reply)
Discussion started by: algernonz
1 Replies

3. Solaris

please review this cron syntax

Dears if i want to run this job every Saturday at 6 AM that will be the code * 6 * * 1 cd /export/home/jenova ; ls -ltr >> $HOME/jenova_dir (2 Replies)
Discussion started by: jenovaux
2 Replies

4. Post Here to Contact Site Administrators and Moderators

Please review this thread wrt o/p

https://www.unix.com/unix-dummies-questions-answers/117633-top-output-specific-process-file-2.html (2 Replies)
Discussion started by: methyl
2 Replies

5. IP Networking

Netsat output-Please review

Hello, Please review the output below and suggest if you notice the parameters going out of limit. netstat -p udp udp: 382735172 datagrams received 0 incomplete headers 0 bad data length fields 0 bad checksums 12519 dropped due to no socket ... (2 Replies)
Discussion started by: Vishal_dba
2 Replies
audit_binfile(5)					Standards, Environments, and Macros					  audit_binfile(5)

NAME
audit_binfile - generation of Solaris audit logs SYNOPSIS
/usr/lib/security/audit_binfile.so DESCRIPTION
The audit_binfile plugin module for Solaris audit, /usr/lib/security/audit_binfile.so, writes binary audit data to files as configured in audit_control(4); it is the default plugin for the Solaris audit daemon auditd(1M). Its output is described by audit.log(4). The audit_binfile plugin is loaded by auditd if audit_control contains one or more lines defining audit directories by means of the dir: specification or if audit_control has a plugin: specification of name=audit_binfile.so. OBJECT ATTRIBUTES
The p_dir and p_minfree attributes are equivalent to the dir: and minfree: lines described in audit_control. If both the dir: line and the p_dir attribute are used, the plugin combines all directories into a single list with those specified by means of dir: at the front of the list. If both the minfree and the p_minfree attributes are given, the p_minfree value is used. EXAMPLES
The following directives cause audit_binfile.so to be loaded, specify the directories for writing audit logs, and specify the percentage of required free space per directory. flags: lo,ad,-fm naflags: lo,ad plugin: name=audit_binfile.so; p_minfree=20; p_dir=/etc/security/jedgar/eggplant, /etc/security/jedgar.aux/eggplant, /etc/security/global/eggplant ATTRIBUTES
See attributes(5) for a description of the following attributes: +-----------------------------+-----------------------------+ | ATTRIBUTE TYPE | ATTRIBUTE VALUE | +-----------------------------+-----------------------------+ |MT Level |MT-Safe | +-----------------------------+-----------------------------+ |Interface Stability |Evolving | +-----------------------------+-----------------------------+ SEE ALSO
auditd(1M), audit_control(4), syslog.conf(4), attributes(5) SunOS 5.10 20 May 2003 audit_binfile(5)

Featured Tech Videos

All times are GMT -4. The time now is 03:06 AM.
Unix & Linux Forums Content Copyright 1993-2020. All Rights Reserved.
Privacy Policy