Does anyone here have any suggestions for keeping an audit trail of user
commands for a user's entire login session -- regardless of whether that
user uses 'su' or the freeware 'sudo' program to change usr IDs?
We have a system that uses a generic "admin" ID to perform most functions,
own most files, etc. Right now, operators, systems staff, and
programmers login directly to that ID to perform administrative tasks. What
we would like to do is elimitate direct logins to that ID, but rather give
authorized users the ability to perform those tasks under their own IDs. In
addition, we're looking to generate audit records, so we can have
accountability ("who did what when"). My idea was to 1) turn on Enhanced
Security; 2) use the freeware "sudo" command to allow users to become the
admin user (by sudo'ing a shell) without having to know any admin passwords;
3) use the audit system to generate records of "exec" events.
So far, I haven't been able to get the results that I've wanted. The audit
records don't seem to show all commands run, and those after the sudo are
listed under the new ID, not the one that originally logged in.
I can supply more details on configuration, etc., but I thought I'd give a
generic description in case I'm running into a common error, or I'm trying
to do something that's "impossible." ;-)
Thanks!
Frank
Received on Thu Jun 24 1999 - 13:54:25 NZST