[SGVLUG] Security/auditing and the "sudo" log
John Lowry
johnlowry at gmail.com
Mon Mar 2 11:16:29 PST 2009
OSSEC is both a log monitoring program as well as a file integrity
checker like a Trip Wire. It is pretty easy to setup and has commercial
support if you are interested in something like that. I have been using
it for two years now and the wiki along with the mailing list are very
active for help.
http://www.ossec.net/
Jeremy Leader wrote:
> Tom, I don't have a direct answer to your question, but some of our
> CentOS 5 (and possible CentOS 4 as well) boxes here have "logwatch"
> running on them, which monitors log files and emails a nightly summary
> of interesting content from the logs. One of the logs it monitors is
> sudo; it reports each user who sudo'd at least once in the last day,
> and the commands they executed. It also reports login failures via X,
> sshd, etc., as well as reporting the output of "df".
>
> I only get emails for two boxes that I'm the only regular user of, so
> I don't know how well it scales to lots of boxes with lots of users,
> but for me it's easy to see if someone else is doing something, and
> roughly what they're doing. However, it doesn't show what directory
> the command was run in, which means something like "sudo make install"
> doesn't tell me *what* was installed.
>
More information about the SGVLUG
mailing list