Solved

centos 5 - auditd

Posted on 2011-02-22
2
1,056 Views
Last Modified: 2012-06-27
Need to log keystrokes for a user that's logging into one of our centos 5 boxes. I've enabled the pam_tty_audit module in /etc/pam.d/system-auth file, using the
session required pam_tty_audit.so disable=* enable=user,root     line. It's working ok, but messages in the /var/log/audit/audit.log are delayed, and sometimes only appear when the user being monitored logs out. How can I make auditd log activity in real time, so we can watch with 'tail -f'?
Thanks
0
Comment
Question by:netlabz
2 Comments
 
LVL 5

Accepted Solution

by:
_-MYFOX-_ earned 500 total points
ID: 34953845
try rootsh http://www.securityfocus.com/tools/3580
It's a low-level monitoring eg keystrokes
0
 

Author Comment

by:netlabz
ID: 34954113
rootsh works pretty well, only drawback is it requires the user to enter their p/w again for sudo. Even if I have 'sudo rootsh' in their .bashrc or .bash_profile they have to enter their password.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Delete email that have a topic like  Cpanel 3 69
linux installs 6 49
nagios 4 php error after installation 6 79
Reset Root Password on CentOS 6 4 44
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now