UNIX and Linux Auditing Using ObserveIT
How ObserveIT is setup and started:
ObserveIT is a commercial product that runs as an agent intercepting all interactive session activity. Once installed, it generates log data and delivers that content to an application server. It monitors all activity automatically, starting from the initial login of the user session.
What ObserveIT records:
ObserveIT collects interactive activity (text I/O) along with kernel data (spawned system calls / commands). ObserveIT provides a full audit review web console, which allows for video-style replay of user sessions as well as detailed audit drill-down into the system call kernel data. In the ObserveIT window, any user session can be viewed or replayed, and current sessions can be monitored in real-time.
In the example below, an interactive user 'brad' logged in and typed 'rm –r do*' to delete the documents directory.
ObserveIT captured the interactive command (rm –r do*) and also the internal commands (the actual filenames deleted, for example.)
Security and audit implications:
ObserveIT links the system calls to the actions in the interactive session, and therefore gives a more bulletproof audit review. ObserveIT generates the video and metadata logs, and also provides the platform for actually searching or navigating within the audit data. This platform includes automated reporting and alerts across any number of Linux or Solaris machines. (The audit database can also include non-Unix/Linux machines such as Windows servers or desktops, if necessary.) Beyond security audits, ObserveIT can also for used for troubleshooting.
When to use ObserveIT:
ObserveIT is best applied when 'the whole picture' is necessary.
This more complete picture is applicable for highly-regulated audit requirements where massive log data alone is insufficient. (ex: PCI security regulations, HIPAA, internal security regulations for highly-sensitive data applications, etc.)
