This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
=== Date: Thu, 27 Feb 2003 14:59:01 +0200 From: Ira Abramov <lists-svlug@ira.abramov.org> To: SV penguin supremacy activism cell <svlug@lists.svlug.org> Subject: [svlug] Audiing configuration files Message-ID: <20030227125901.GJ7607@ira.abramov.org> Content-Type: text/plain; charset=windows-1255 MIME-Version: 1.0 Precedence: list Message: 2 I've googled all over for this, but I haven't found a good answer yet. I need to keep an audit on the system configurations (/etc and a few other spots). since this is not a database I can't easely trigger logs so here are the options I came up with, none is perfect. They are not needed for security (though that will be nice) but more for keeping tab of who did what on a multi-admin system. 1. wrap VI with an RCS check-in, condition it with a list of known files I want to save. Cons: have to do that to all other editors too, won't help files copied over from elsewhere, won't protect against files loaded while in the editor and not the commandline. 2. do CVS check once an hour or X minutes Cons: not granulated enough, heavy if done too often, doesn't tell you who edited. 3. let people only edit via sudo Cons: still need to trigger CVS or RCS based on syslogd output (not too tricky), and users must be forced to keep using sudo, which they may not like. an apt search came up with osh, but it sounds similar, haven't tried. 4. use syscalltrack with a log trigger Cons: requiers a kernel patch (semi-problematic, not too bad), sounds a bit cumbersome, but just might work... Now is there a fifth way which I haven't found on google? preferably a single cohesive package and not something that needs half a gallon of glue? of all the above a combination of SCT with a trigger of CVS seems to sound the best way to go otherwise. === Date: 27 Feb 2003 03:35:02 -0800 From: Alex Arbitman <arbitman@pacbell.net> To: Ira Abramov <lists-svlug@ira.abramov.org> Cc: svlug@lists.svlug.org Subject: Re: [svlug] Audiing configuration files Message-ID: <1046345703.1907.45.camel@alinux> In-Reply-To: <20030227125901.GJ7607@ira.abramov.org> References: <20030227125901.GJ7607@ira.abramov.org> Content-Type: text/plain MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Precedence: list Message: 4 My idea was simple. I let user's system to do the job for me. On the server itself every minute cron was running a script checking for a new user connected to the server.If new user detected,then script was started on user's system which was recording all the activity using "history" command and same time checking if user is still connected to the server and is staying in his home directory. Once user is trying to get to some other places besides home directory (or other permitted places) the "History" list was compared with so called "prohibited user's activity" list (simple text file with "chmod 600" placed on every user's system containing lines with "rm", "mv", "vi","touch","cd /etc","chmod","chgrp" etc...etc.. it is really up to you as System Admin). Once some bad activity has been detected, script was sending mail to sysadmin containing user ID and all the history.If user disconnects from the server then script automatically stops. You review the e-mail and know how to proceed at that point. I hope I got your idea and my e-mail is clear enough. === Date: Thu, 27 Feb 2003 17:19:02 -0500 From: Walter Reed <wreed@hubinternet.com> To: SV penguin supremacy activism cell <svlug@lists.svlug.org> Subject: Re: [svlug] Audiing configuration files Message-ID: <20030227221902.GA11872@hubinternet.com> In-Reply-To: <20030227125901.GJ7607@ira.abramov.org> References: <20030227125901.GJ7607@ira.abramov.org> Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Precedence: list Message: 1 > Now is there a fifth way which I haven't found on google? preferably a > single cohesive package and not something that needs half a gallon of > glue? of all the above a combination of SCT with a trigger of CVS seems > to sound the best way to go otherwise. Hmm. How about a cron job that ran "find" every 10 minutes or so looking for files (in your target directories) modified less than 10 minutes ago and exec-ing cvs on those. Could even be a one line script... Just an idea - haven't tried it before... ===