'[Rocks-Discuss] Re: Command line logging'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       npaci-rocks-discussion
Subject:    [Rocks-Discuss] Re: Command line logging
From:       "Hamilton, Scott L." <hamiltonsl () mst ! edu>
Date:       2015-01-30 18:16:09
Message-ID: EE1AE97C3F55A34DA72100E8437D838AD069D8B8 () UM-MBX-T01 ! um ! umsystem ! edu
[Download RAW message or body]

Simon,

If you have a method of logging commands to syslog already, if you implement that on \
the nodes you can configure that particular log entry to forward to the head node.  \
Currently the rocks cluster nodes forward all info or higher log message to the head \
node by default so a syslog solution will work as well, as long as it is logged with \
info or higher message levels. 

I am quite interested in your method of logging commands to syslog if you wouldn't \
mind sharing with the list.  I have a few problem users on Linux workstation that \
keep doing things to break their machines, but are never willing to admit what they \
have done.  If I logged their command line activity it would make troubleshooting the \
issue a lot easier knowing what they have done.

It is really fairly simple.  Each home directory has a .bash_history file that will \
show every command that user has run in the length of the history.  I think the \
default is the last 1000 commands or something along those lines.  

As for logging all outbound connections, that is as simple as changing the firewall \
                rules on the head node  adding an 
-A FORWARD -j LOG --log-prefix 'FORWARD TCP ' --log-level 4 
Just before the 
#  A50-FORWARD-RELATED (host) : 
-A FORWARD -i em1 -o em2 -m state --state RELATED,ESTABLISHED -j ACCEPT
#  A60-FORWARD (host) : 
-A FORWARD -i em2 -j ACCEPT

This will log all the forwarded traffic from the headnode firewall.  If you want to \
log everything just add the -j LOG option to the end of every line in the iptables \
configuration.

Scott


-----Original Message-----
From: npaci-rocks-discussion-bounces@sdsc.edu \
                [mailto:npaci-rocks-discussion-bounces@sdsc.edu] On Behalf Of James \
                Kress
Sent: Friday, January 30, 2015 10:59 AM
To: 'Discussion of Rocks Clusters'
Subject: [Rocks-Discuss] Re: Command line logging

I'm sure the NSA has an app for that.

Jim

James Kress Ph.D., President
The KressWorks Foundation C
An IRS Approved 501 (c)(3) Charitable, Nonprofit Organization "Improving Lives One \
Atom At A Time" TM (248) 605-8770

Learn More and Donate At:
http://www.kressworks.org

Confidentiality Notice | This e-mail message, including any attachments, is for the \
sole use of the intended recipient(s) and may contain confidential or proprietary \
information. Any unauthorized review, use, disclosure or distribution is prohibited. \
If you are not the intended recipient, immediately contact the sender by reply e-mail \
and destroy all copies of the original message.

-----Original Message-----
From: npaci-rocks-discussion-bounces@sdsc.edu
[mailto:npaci-rocks-discussion-bounces@sdsc.edu] On Behalf Of Simon Andrews
Sent: Friday, January 30, 2015 11:27 AM
To: npaci-rocks-discussion@sdsc.edu
Subject: [Rocks-Discuss] Command line logging

As part of a security audit I've been asked if we are able to generate a log of all \
of the commands run by users on our ROCKS cluster, both on the head node and also \
within qlogin or qrsh sessions on a compute node.  I know there may be no perfect \
solution to this but if I could at least log direct bash commands that would be \
better than nothing.  For the head node I can see ways to log commands to syslog, but \
on the compute nodes I can't see an easy way to log this in a way which wouldn't fail \
if the node had a problem and was rebuilt.

Since what we really care is tracking connections to other remote systems to be able \
to track malicious activity I was also wondering if we could simply log all outbound \
connections (we'd need at least a username, a date stamp, a port and a desination IP) \
in a way which could just be run from the head node?

I'm guessing we can't be the first group to be asked to do this kind of monitoring, \
so is anyone able to share how they've set this up, or suggest the easiest way to put \
it in place?

Thanks

Simon.
The Babraham Institute, Babraham Research Campus, Cambridge CB22 3AT Registered \
Charity No. 1053902. The information transmitted in this email is directed only to \
the addressee. If you received this in error, please contact the sender and delete \
this email from your system. The contents of this e-mail are the views of the sender \
and do not necessarily represent the views of the Babraham Institute. Full conditions \
at: www.babraham.ac.uk<http://www.babraham.ac.uk/terms>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic