Red Hat Bugzilla – Bug 154973
[RFE] Capture user activities from hidden kernel module
Last modified: 2008-08-25 12:31:17 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Description of problem:
As a corporate user who deals service providing platforms, a tool that can record all data that about user activity - using the system read() call - to a remote log server would be extremely useful. The tool also needs to non-detectable and unloadable by the user.
This means a track of all activities on the system can be kept, such that if a problem with the service arises, the activities can be checked to see what user activity has happened on the node - thus potentially speeding up root cause analysis.
Tools exist that provide the functionality requested (see: http://www.honeynet.org/tools/sebek), but as it is open source there is no support organisation behind it - meaning that the company would be very reluctant to use it for production systems. This tool is also intended for honeypot systems, as opposed to service platforms, thus may not be as stable as needed.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Request For Enhancement
Internal RFE bug #155047 entered; will be considered for future releases.
Product Management has reviewed and declined this request. You may appeal this
decision by reopening this request.