[Cialug] Auditing logs for a delicate situation
Hasler, Chris
ChrisHasler at alliantenergy.com
Fri Feb 10 17:38:45 CST 2012
Hi all,
I've been asked to audit system logs for tracking the log in of a certain individual. I'm not trying to figure out what the individual did on the system after they logged in. I've just been asked to look for evidence that a person did log in on certain days. The systems are configured to forward system logs to a central logging host so I can grep the composite auth log looking for sessions coming from a particular Subnet/IP. To complicate matters, the user does have access to the root password(s).
If a person uses screen, and maintains a session for a lengthy period of time is there any trace when they are active and when they are not?
Any additional ideas or guidance in this type of situation would be much appreciated.
Thanks,
Chris H.
More information about the Cialug
mailing list