Re: [tlug] comand-line recording...

[Bruno Raoult <braoult@example.com>]

On Mon, Sep 28, 2009 at 16:28, Curt Sampson <cjs@example.com> wrote:
> On 2009-09-28 15:58 +0900 (Mon), Bruno Raoult wrote:
>> Yes, the only thing I want to protect is the log file...
>
> This is what I really don't get. Basically, a logfile that doesn't show
> what really happened is fine, so long as it was produced in one way,
> rather than another.

The situation: Developers and support people. They all have access to production
machines. Audit does not like it. "Segregating" roles is necessary,
what we cannot
( support team being too small).
So what I proposed the audit was: "we cannot avoid to have developers accessing
our production environment. But we will have a log of what they do on
this environment.
Thay said it was an acceptable solution.
And by the way, this log is not necessary for support people, but I
will not make a different
setup for practical reasons.

>> 1) The generic account history file will be shared by all
>> support/developers, and we would be unable to find who really typed a
>> given command.
>
> This makes things even more interesting. I don't use generic
> accounts myself, for a lot of very good reasons, but you appear to
> be saying something along the lines of Joe logging in and saying,
> "record-my-actions as fred" is ok, or even forgetting to run the
> "record-my-actions" command is ok, but Joe doing something like
> "record-my-actions as joe" and then later doing "mv joe.log fred.log" is
> not acceptable.

I am sure you do use generic accounts. root is one.
If you have an "apache" server, what is its uid? Yours? Surely not.

OK: This is not "Joe" being "Fred", but both "Joe" and "Fred" (as known persons)
becoming "generic server account" (for instance "apache").
Imagine a system where we have a server. This server has to be managed
by different people,
so it is "generic". My target is to know what Fred and what Joe did on
this specific account...

I want to know that Fred changed a config file, on Wednesday 3:00, and
I want to know that
Joe did something at 3:05 on the same file. And They should not be
able to change this history
files (syslog is fine, then)...

Bruno.

-- 
2 + 2 = 5, for very large values of 2.