<div>In Gentoo there is a use keyword to turn on command logging to syslog. Below is the patch file in case you were interested...</div><div><br></div><div>$ cat /usr/portage/app-shells/bash/files/bash-3.1-bash-logger.patch </div>
<div><br></div><div>Add support for logging bash commands via syslog().</div><div>Useful for deploying in honeypot environments.</div><div><br></div><div><a href="http://bugs.gentoo.org/91327">http://bugs.gentoo.org/91327</a></div>
<div><a href="http://www.nardware.co.uk/Security/html/bashlogger.htm">http://www.nardware.co.uk/Security/html/bashlogger.htm</a></div><div><br></div><div>--- bashhist.c</div><div>+++ bashhist.c</div><div>@@ -705,7 +705,7 @@</div>
<div> {</div><div> hist_last_line_added = 1;</div><div> hist_last_line_pushed = 0;</div><div>- add_history (line);</div><div>+ add_history (line, 1);</div><div> history_lines_this_session++;</div><div> }</div><div>
</div><div>--- lib/readline/histexpand.c</div><div>+++ lib/readline/histexpand.c</div><div>@@ -1222,9 +1222,7 @@</div><div> </div><div> if (only_printing)</div><div> {</div><div>-#if 0</div><div>- add_history (result);</div>
<div>-#endif</div><div>+ add_history (result, 1);</div><div> return (2);</div><div> }</div><div> </div><div>--- lib/readline/histfile.c</div><div>+++ lib/readline/histfile.c</div><div>@@ -262,7 +262,7 @@</div>
<div> <span class="Apple-tab-span" style="white-space:pre"> </span> {</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span> if (HIST_TIMESTAMP_START(line_start) == 0)</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span> {</div>
<div>-<span class="Apple-tab-span" style="white-space:pre"> </span>add_history (line_start);</div><div>+<span class="Apple-tab-span" style="white-space:pre"> </span>add_history (line_start, 0);</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span>if (last_ts)</div>
<div> <span class="Apple-tab-span" style="white-space:pre"> </span> {</div><div> <span class="Apple-tab-span" style="white-space:pre"> </span> add_history_time (last_ts);</div><div>--- lib/readline/history.c</div><div>
+++ lib/readline/history.c</div><div>@@ -31,6 +31,8 @@</div><div> </div><div> #include <stdio.h></div><div> </div><div>+#include <syslog.h></div><div>+</div><div> #if defined (HAVE_STDLIB_H)</div><div> # include <stdlib.h></div>
<div> #else</div><div>@@ -246,10 +250,23 @@</div><div> /* Place STRING at the end of the history list. The data field</div><div> is set to NULL. */</div><div> void</div><div>-add_history (string)</div><div>- const char *string;</div>
<div>+add_history (string, logme)</div><div>+ const char *string;</div><div>+ int logme; /* 0 means no sending history to syslog */</div><div> {</div><div> HIST_ENTRY *temp;</div><div>+ if (logme) {</div><div>+ char trunc[600]; /* arbitrary max size of 600 bytes */</div>
<div>+ if (strlen(string) < sizeof(trunc)) {</div><div>+ syslog(LOG_LOCAL5 | LOG_INFO, "HISTORY: PID=%d UID=%d %s",</div><div>+ getpid(), getuid(), string);</div><div>+ } else {</div><div>+ memcpy(trunc, string, sizeof(trunc));</div>
<div>+ trunc[sizeof(trunc) - 1] = '\0';</div><div>+ syslog(LOG_LOCAL5 | LOG_INFO, "HISTORY: PID=%d UID=%d %s(++TRUNC)",</div><div>+ getpid(), getuid(), trunc);</div><div>+ }</div><div>
+ }</div><div> </div><div> if (history_stifled && (history_length == history_max_entries))</div><div> {</div><div>--- lib/readline/history.h</div><div>+++ lib/readline/history.h</div><div>@@ -80,7 +80,7 @@</div>
<div> </div><div> /* Place STRING at the end of the history list.</div><div> The associated data field (if any) is set to NULL. */</div><div>-extern void add_history PARAMS((const char *));</div><div>+extern void add_history PARAMS((const char *, int ));</div>
<div> </div><div> /* Change the timestamp associated with the most recent history entry to</div><div> STRING. */</div><div><br></div><div><br></div><br><div class="gmail_quote">On Wed, Jun 16, 2010 at 8:37 PM, Chris Fowler <span dir="ltr"><<a href="mailto:cfowler@outpostsentinel.com">cfowler@outpostsentinel.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="im">On Wed, 2010-06-16 at 16:02 -0400, James Taylor wrote:<br>
> the acct package is part of the distribution.<br>
> I need to look at in more depth, but it looks promising.<br>
> -jt<br>
><br>
> >>> "James Taylor" <<a href="mailto:James.Taylor@eastcobbgroup.com">James.Taylor@eastcobbgroup.com</a>> 6/16/2010 09:50 AM >>><br>
> Is there a good method for auditing command line operations, similar to bash_history that is not accessible to the user? bash_hisory is functional, but can be edited or deleted by the user.<br>
> Something that is included with a SLES distribution is highly desirable, but if there are some good options, one of them may already be there.<br>
> I've had one suggestion for snoopy, but I don't think it's included with SLES.<br>
> Thanks,<br>
> -jt<br>
><br>
<br>
</div>You might try to incorporate an exec of script into their bash_profile.<br>
First try it with hidden directories in the home.<br>
<br>
# bash_profile<br>
<br>
# Stuff here<br>
<br>
mkdir ~/.audit<br>
exec script -qf ~/.audit/script.`date +%s`<br>
<br>
-q is quiet to not alert them<br>
-f flushes after each write so that you could be on another terminal and<br>
executing tail -f against the file.<br>
<div><div></div><div class="h5"><br>
<br>
<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div></div></blockquote></div><br>