I have discussed in previous posts the importance of administrators using SUDO to provide individual accountability. SUDO provides command-by-command accounting of actions performed by administrators, with logs sent as standard syslog events looking like this:
Feb 4 19:23:23 bsd sudo: jerry : TTY=pts/0 ; PWD=/usr/home/jerry ; USER=root ; COMMAND=/bin/ps -x
Feb 4 19:23:34 bsd sudo: jerry : TTY=pts/0 ; PWD=/usr/home/jerry ; USER=root ; COMMAND=/usr/bin/vi /etc/passwd
Feb 4 19:23:59 bsd sudo: jerry : TTY=pts/0 ; PWD=/usr/home/jerry ; USER=root ; COMMAND=/usr/bin/tail -100 /var/log/messages
We can see pretty clearly all the actions I took above: the user “jerry” performed a number of actions, including one that is potentially concerning: vi /etc/passwd. The action on /etc/passwd requires some investigation.
First, we need to be sure that an administrator can’t cover his tracks by deleting logs. This is best accomplished by streaming the logs to a hardened syslog server, where the administrator doesn’t have the ability to delete logs. Read more…
RSS Error: A feed could not be found at http://www.syslog.org/forum/.xml/?type=rss. A feed with an invalid mime type may fall victim to this error, or SimplePie was unable to auto-discover it.. Use force_feed() if you are certain this URL is a real feed.