This is exactly what I am looking for. I am able to at this time identify which script or process is using my resources on my web hosting servers using GNU accounting and sa, but to be able to see which user has educated what would be a huge help.
Could anyone point me to docs on how to do process logging via one of the HIDS applications. Dale. On Thu, Aug 20, 2009 at 11:09 PM, Ron Gula <[email protected]>wrote: > Joe Magee wrote: > > We've certainly seen it. Can be a bit noisy in a production *nix > environment. A lot of times we isolate this to say "PCI" systems or other > compliance targets... > > > > With that said, it's also interesting seeing those backup jobs running as > root, or better yet seeing the backup jobs failing as root (ie not running.) > Then running a report that shows that happening every night for the past > month (doh!) > > > > I miss Squire... :) > > > > - Joe > > > > P.S. Who's not a lurker! (that'd be me..) > > I've also heard folks say that this causes a performance hit. I think > the hit is really on your log server and disk drive. > > I'm a fan of doing this sort of logging because after the fact, if > you really need to know what an admin or a hacker did, you have a lot > more to go on that just login/logout logs. I wish both Windows and > Unix platforms did more to log the arguments of the commands run. > > Having said that, our approach with our Log Correlation Engine product > is to: > > - summarize all unique commands and user accounts run on a daily basis > which makes for a nice quick report. > - alert the first time when a new command is run during a given hour > of the day. > - have all of the process/program accounting logs available with other > logs in case you need to look that close at what happened. > > A lot of folks tend to do this sort of auditing on their databases, > but I'd like to see more folks run this on their web app servers. It > won't help for someone who can steal/ex-filtrate data, but it can help > if someone is invoking a command through a web app flaw. > > -- > Ron Gula, CEO > Tenable Network Security > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
