[ale] Need an method of recording command line operations for auditing purposes
Brandon Wood
woody at 2143.net
Thu Jun 17 11:25:29 EDT 2010
In Gentoo there is a use keyword to turn on command logging to syslog. Below
is the patch file in case you were interested...
$ cat /usr/portage/app-shells/bash/files/bash-3.1-bash-logger.patch
Add support for logging bash commands via syslog().
Useful for deploying in honeypot environments.
http://bugs.gentoo.org/91327
http://www.nardware.co.uk/Security/html/bashlogger.htm
--- bashhist.c
+++ bashhist.c
@@ -705,7 +705,7 @@
{
hist_last_line_added = 1;
hist_last_line_pushed = 0;
- add_history (line);
+ add_history (line, 1);
history_lines_this_session++;
}
--- lib/readline/histexpand.c
+++ lib/readline/histexpand.c
@@ -1222,9 +1222,7 @@
if (only_printing)
{
-#if 0
- add_history (result);
-#endif
+ add_history (result, 1);
return (2);
}
--- lib/readline/histfile.c
+++ lib/readline/histfile.c
@@ -262,7 +262,7 @@
{
if (HIST_TIMESTAMP_START(line_start) == 0)
{
- add_history (line_start);
+ add_history (line_start, 0);
if (last_ts)
{
add_history_time (last_ts);
--- lib/readline/history.c
+++ lib/readline/history.c
@@ -31,6 +31,8 @@
#include <stdio.h>
+#include <syslog.h>
+
#if defined (HAVE_STDLIB_H)
# include <stdlib.h>
#else
@@ -246,10 +250,23 @@
/* Place STRING at the end of the history list. The data field
is set to NULL. */
void
-add_history (string)
- const char *string;
+add_history (string, logme)
+ const char *string;
+ int logme; /* 0 means no sending history to syslog */
{
HIST_ENTRY *temp;
+ if (logme) {
+ char trunc[600]; /* arbitrary max size of 600 bytes */
+ if (strlen(string) < sizeof(trunc)) {
+ syslog(LOG_LOCAL5 | LOG_INFO, "HISTORY: PID=%d UID=%d %s",
+ getpid(), getuid(), string);
+ } else {
+ memcpy(trunc, string, sizeof(trunc));
+ trunc[sizeof(trunc) - 1] = '\0';
+ syslog(LOG_LOCAL5 | LOG_INFO, "HISTORY: PID=%d UID=%d %s(++TRUNC)",
+ getpid(), getuid(), trunc);
+ }
+ }
if (history_stifled && (history_length == history_max_entries))
{
--- lib/readline/history.h
+++ lib/readline/history.h
@@ -80,7 +80,7 @@
/* Place STRING at the end of the history list.
The associated data field (if any) is set to NULL. */
-extern void add_history PARAMS((const char *));
+extern void add_history PARAMS((const char *, int ));
/* Change the timestamp associated with the most recent history entry to
STRING. */
On Wed, Jun 16, 2010 at 8:37 PM, Chris Fowler
<cfowler at outpostsentinel.com>wrote:
> On Wed, 2010-06-16 at 16:02 -0400, James Taylor wrote:
> > the acct package is part of the distribution.
> > I need to look at in more depth, but it looks promising.
> > -jt
> >
> > >>> "James Taylor" <James.Taylor at eastcobbgroup.com> 6/16/2010 09:50 AM
> >>>
> > Is there a good method for auditing command line operations, similar to
> bash_history that is not accessible to the user? bash_hisory is functional,
> but can be edited or deleted by the user.
> > Something that is included with a SLES distribution is highly desirable,
> but if there are some good options, one of them may already be there.
> > I've had one suggestion for snoopy, but I don't think it's included with
> SLES.
> > Thanks,
> > -jt
> >
>
> You might try to incorporate an exec of script into their bash_profile.
> First try it with hidden directories in the home.
>
> # bash_profile
>
> # Stuff here
>
> mkdir ~/.audit
> exec script -qf ~/.audit/script.`date +%s`
>
> -q is quiet to not alert them
> -f flushes after each write so that you could be on another terminal and
> executing tail -f against the file.
>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100617/b5190d0a/attachment.html
More information about the Ale
mailing list