Thursday, March 13, 2008

Preserving History - Command Monitoring in ITM 6.1

Sometimes you might want to monitor commands issued by various users for a potentially dangerous commands. This article gives you an idea about how to do this.

Use sudo

Sudo is the simplest choice for auditing the commands invoked as super user. It comes as a standard package on Unix/Linux and it provides standard logging into syslog. You could use a ITM universal agent file data provider or ITM Unix Log agent to monitor the log messages written by sudo. However one drawback of sudo is that it is difficult to setup an audit trail for users other than root.

Use command history files

This is a simplistic way but not a feasible solution at all. We could use the command history stored for each shell but users can easily disable history logging by switching to say Bourne Shell. Moreover, the history does not indicate when the command was invoked thus missing a crucial piece of information.

Use audit trail utilities

If you are looking for a basic security audit trail utility, you could use the psacct utility for logging the commands invoked by all users. It is very easy to setup and it provides commands such as "lastcomm" to display the list of commands invoked by a particular user along with the timestamps. You could run the lastcomm in your Universal Agent Script Data provider to monitor the commands invoked by a particular user. There are other commercial tools available as well and you may want to consider them if your budget allows.

Hope this gives you an idea.

No comments: