[prev in list] [next in list] [prev in thread] [next in thread]
List: npaci-rocks-discussion
Subject: [Rocks-Discuss] Re: Command line logging
From: "Hamilton, Scott L." <hamiltonsl () mst ! edu>
Date: 2015-01-30 18:16:09
Message-ID: EE1AE97C3F55A34DA72100E8437D838AD069D8B8 () UM-MBX-T01 ! um ! umsystem ! edu
[Download RAW message or body]
Simon,
If you have a method of logging commands to syslog already, if you implement that on \
the nodes you can configure that particular log entry to forward to the head node. \
Currently the rocks cluster nodes forward all info or higher log message to the head \
node by default so a syslog solution will work as well, as long as it is logged with \
info or higher message levels.
I am quite interested in your method of logging commands to syslog if you wouldn't \
mind sharing with the list. I have a few problem users on Linux workstation that \
keep doing things to break their machines, but are never willing to admit what they \
have done. If I logged their command line activity it would make troubleshooting the \
issue a lot easier knowing what they have done.
It is really fairly simple. Each home directory has a .bash_history file that will \
show every command that user has run in the length of the history. I think the \
default is the last 1000 commands or something along those lines.
As for logging all outbound connections, that is as simple as changing the firewall \
rules on the head node adding an
-A FORWARD -j LOG --log-prefix 'FORWARD TCP ' --log-level 4
Just before the
# A50-FORWARD-RELATED (host) :
-A FORWARD -i em1 -o em2 -m state --state RELATED,ESTABLISHED -j ACCEPT
# A60-FORWARD (host) :
-A FORWARD -i em2 -j ACCEPT
This will log all the forwarded traffic from the headnode firewall. If you want to \
log everything just add the -j LOG option to the end of every line in the iptables \
configuration.
Scott
-----Original Message-----
From: npaci-rocks-discussion-bounces@sdsc.edu \
[mailto:npaci-rocks-discussion-bounces@sdsc.edu] On Behalf Of James \
Kress
Sent: Friday, January 30, 2015 10:59 AM
To: 'Discussion of Rocks Clusters'
Subject: [Rocks-Discuss] Re: Command line logging
I'm sure the NSA has an app for that.
Jim
James Kress Ph.D., President
The KressWorks Foundation C
An IRS Approved 501 (c)(3) Charitable, Nonprofit Organization "Improving Lives One \
Atom At A Time" TM (248) 605-8770
Learn More and Donate At:
http://www.kressworks.org
Confidentiality Notice | This e-mail message, including any attachments, is for the \
sole use of the intended recipient(s) and may contain confidential or proprietary \
information. Any unauthorized review, use, disclosure or distribution is prohibited. \
If you are not the intended recipient, immediately contact the sender by reply e-mail \
and destroy all copies of the original message.
-----Original Message-----
From: npaci-rocks-discussion-bounces@sdsc.edu
[mailto:npaci-rocks-discussion-bounces@sdsc.edu] On Behalf Of Simon Andrews
Sent: Friday, January 30, 2015 11:27 AM
To: npaci-rocks-discussion@sdsc.edu
Subject: [Rocks-Discuss] Command line logging
As part of a security audit I've been asked if we are able to generate a log of all \
of the commands run by users on our ROCKS cluster, both on the head node and also \
within qlogin or qrsh sessions on a compute node. I know there may be no perfect \
solution to this but if I could at least log direct bash commands that would be \
better than nothing. For the head node I can see ways to log commands to syslog, but \
on the compute nodes I can't see an easy way to log this in a way which wouldn't fail \
if the node had a problem and was rebuilt.
Since what we really care is tracking connections to other remote systems to be able \
to track malicious activity I was also wondering if we could simply log all outbound \
connections (we'd need at least a username, a date stamp, a port and a desination IP) \
in a way which could just be run from the head node?
I'm guessing we can't be the first group to be asked to do this kind of monitoring, \
so is anyone able to share how they've set this up, or suggest the easiest way to put \
it in place?
Thanks
Simon.
The Babraham Institute, Babraham Research Campus, Cambridge CB22 3AT Registered \
Charity No. 1053902. The information transmitted in this email is directed only to \
the addressee. If you received this in error, please contact the sender and delete \
this email from your system. The contents of this e-mail are the views of the sender \
and do not necessarily represent the views of the Babraham Institute. Full conditions \
at: www.babraham.ac.uk<http://www.babraham.ac.uk/terms>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic