Hi,
I need a solution to track the users which are logged in to remote machine and become root. And need the information from which machine the user logged and the commands history of the user. And this monitoring should be for round the clock.
If any solution for this pls let me know.
Thanks in advance.
-Pani G
Every couple of weeks a question like this pops up, so you could also try searching for older threads on this subject.
Basically what things boil down to:
1. Make sure that you configure syslogd in such a way that it logs things like logins, su usage and so on.
2. Make a central logging server ("secloghost" for example) and configure all of the syslog daemons in such a way that they write their security related entries to this host, as well as to their local log files.
3. Try to find a way to secure the user's .history files. Either regularly SCP them to the secloghost or keep them somewhere else.
The problem with all of these points is the fact that whenever a user is root, he/she can circumvent all of these security measures. So while you could even go so far as to install keystroke logging shells, root can alsways be used to tamper with the log files.
This is of course why you should keep your root accounts as secure as possible :)
