Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"That tracks each user's actions (if they don't sudo -s)"

Or any of a million other ways:

  $ sudo /bin/bash
  $ sudo su
  $ cp /bin/bash ./; sudo chmod u+S ./bash; ./bash
  $ sudo less # invoke /bin/bash from inside less
That list can keep going for a long time. Hardly a trusted way to track a user...


You can track a user on Linux (reliably)

Here's 2 ways I know of:

- Linux Audit. Just have auditd tracing all execves. All execs made after UID transision (sudo su, sudo -s, what not) have a AUID appended that is filled with the original "logged-in-as" UID.

- RSBAC. Does basically the same thing

Both are kernel side. Userspace tools to control.


"- RSBAC. Does basically the same thing"

And a nuclear reactor does basically the same thing as my electric tea kettle;)


The bash shell, as of v4.1, can syslog every command, if you enable it at compile time. Very useful, we use it on all our prod boxes. Take all the other shells off the system and it becomes much harder for a hax0r not to leave an audit trail.


Because uploading a precompiled binary is so difficult?


It would at least be useful for auditing normal users of the system.


What I meant was that your group needs to have one "social" rule, "run all admin cmds under sudo, don't spawn a root shell and do it all there", for you to have effective tracking.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: