Hi all, I'm looking for something like a bash-replacement wich logs all commands with parameters etc a user issues. The bash-history isn't useful, because it can be changed/deleted by the user himself. Can anybody tip me into the right direction ? Thanks !! Mit freundlichen Grüssen Florian Meyer-Kassel --- Combax Aktiengesellschaft Florian Meyer-Kassel Server Administration Max-Eyth-Strasse 35 D-71088 Holzgerlingen T: +49.7031.741015-0 F: +49.7031.741015-99 E: f.meyer-kassel@combax.de --- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.
maybe you can fork a tail -f $userdir/.bash_history > $myfile when bash gets up to log all entrys immediatly. Michael -----Original Message----- From: Florian Meyer-Kassel [mailto:f.meyer-kassel@combax.net] Sent: Tuesday, September 18, 2001 9:41 AM To: suse-security@suse.com Subject: [suse-security] Command Logging Hi all, I'm looking for something like a bash-replacement wich logs all commands with parameters etc a user issues. The bash-history isn't useful, because it can be changed/deleted by the user himself. Can anybody tip me into the right direction ? Thanks !! Mit freundlichen Grüssen Florian Meyer-Kassel --- Combax Aktiengesellschaft Florian Meyer-Kassel Server Administration Max-Eyth-Strasse 35 D-71088 Holzgerlingen T: +49.7031.741015-0 F: +49.7031.741015-99 E: f.meyer-kassel@combax.de --- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi all,
I'm looking for something like a bash-replacement wich logs all commands with parameters etc a user issues. The bash-history isn't useful, because it can be changed/deleted by the user himself. Can anybody tip me into the right direction ?
Right problem, wrong answer. man chattr. append only is of interest. also immutable. Of course even with .bash_history logging all bash commands a user can get around it (hint, other shells, shell scripts, etc.).
Thanks !!
Mit freundlichen Grüssen
Florian Meyer-Kassel
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
man chattr. append only is of interest. also immutable. is there already a chattr for reiserFS? AFAIK only ext2 is supported.
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
man chattr. append only is of interest. also immutable. is there already a chattr for reiserFS? AFAIK only ext2 is supported.
Negative. It is an ext2 feature, not portable. Logging inside a userspace program is useless. Users bring their own shell and the logging is gone, and even with the same shell used, the shell can be tricked into skipping the writing of a command history. You'd have to do it differently. See the manual page of accton(8) for BSD process accounting in the kernel. Not that not all of the commandline is being logged, only the filename, but if you hack up the code in /usr/src/linux/kernel/acct.c and in the userspace utilities, it should do.
Markus
Thanks,
Roman.
--
- -
| Roman Drahtmüller
On Tue, 18 Sep 2001, Roman Drahtmueller wrote:
man chattr. append only is of interest. also immutable. is there already a chattr for reiserFS? AFAIK only ext2 is supported.
Negative. It is an ext2 feature, not portable.
Logging inside a userspace program is useless. Users bring their own shell and the logging is gone, and even with the same shell used, the shell can be tricked into skipping the writing of a command history.
You'd have to do it differently. See the manual page of accton(8) for BSD process accounting in the kernel. Not that not all of the commandline is being logged, only the filename, but if you hack up the code in /usr/src/linux/kernel/acct.c and in the userspace utilities, it should do.
Yep. Kernel-land tools are the right ones, although acct(2) only works when the process calls exit(2). Programs killed with sigkill for example don't appear in the logs then. regards, Sebastian -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~
Hi Sebastian,
Yep. Kernel-land tools are the right ones, although acct(2) only works when the process calls exit(2).
Not quite (good that you mention it). The program gets logged, when the task is being removed from the task list in do_exit() inside the kernel. The actual reason why it died doesn't count (besides, there is a bug in the lastcomm(1) manpage: Not only SIGTERM causes that "X" in lastcomm's output!), since this reason is beyond the control of the userspace at this stage.
Programs killed with sigkill for example don't appear in the logs then.
This is a good reason for not trying this in user- and libraryspace.
# cd /var/account/
# touch pacct
# chmod 640 pacct
# accton pacct
# ls -la pacct
-rw-r----- 1 root root 64 Sep 18 14:08 pacct
# sleep 400 &
[1] 16390
# kill -9 16390
#
[1]+ Killed sleep 400
#
# lastcomm
sleep X root stdin 0.01 secs Tue Sep 18 14:08
ls root stdin 0.00 secs Tue Sep 18 14:08
accton S root stdin 0.00 secs Tue Sep 18 14:08
# accton
Roman.
--
- -
| Roman Drahtmüller
Yup, On 18-Sep-01 Florian Meyer-Kassel wrote:
Hi all,
I'm looking for something like a bash-replacement wich logs all commands with parameters etc a user issues. The bash-history isn't useful, because it can be changed/deleted by the user himself. Can anybody tip me into the right direction ?
you could either use ttysnoop (use google to find a place to download) or the kernel space sniffer Maxty, which is a loadable kernel module. Marty logs commands, as well as shell session opening/login shells, profiles used, etc. Download Maxty at http://freshmeat.net/projects/maxty/
Thanks !!
Mit freundlichen Gr�ssen
Florian Meyer-Kassel
---
Combax Aktiengesellschaft Florian Meyer-Kassel Server Administration Max-Eyth-Strasse 35 D-71088 Holzgerlingen
T: +49.7031.741015-0 F: +49.7031.741015-99 E: f.meyer-kassel@combax.de
Boris Lorenz
you know, I haven't been able to find a good _maintained_ tty/pty snooper/hijacker for Linux in ages, everything is at least a year or five old and barely anything works with 2.4. sigh. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
** Reply to message from "Kurt Seifried"
Hi Florian, On Tue, Sep 18, 2001 at 09:40:42AM +0200, Florian Meyer-Kassel wrote:
Hi all,
I'm looking for something like a bash-replacement wich logs all commands with parameters etc a user issues. The bash-history isn't useful, because it can be changed/deleted by the user himself. Can anybody tip me into the right direction ?
Thanks !!
you can enable system wide process accounting (logging) with the acct package. It will log all processes, but not the parameters AFAIK. It's more tailored towards logging CPU time, but still useful. You can query the log database with the lastcomm command. Peter -- Peter Poeml poeml at suse.de ------------------------------------------------------------------------------- VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day...
On Tue, 18 Sep 2001, Florian Meyer-Kassel wrote:
Hi all,
I'm looking for something like a bash-replacement wich logs all commands with parameters etc a user issues. The bash-history isn't useful, because it can be changed/deleted by the user himself. Can anybody tip me into the right direction ?
Thanks !!
hi, you may use the Eyes on Exec pseudo-device driver for 2.2 and 2.4 kernels available at http://www.cs.uni-potsdam.de/homepages/students/linuxer/eoe-2.51.tar.gz it creates /dev/exec upon install and you can in the simplest case cat that file and see every program with UID/EUID etc executed. You can even build complex programs on it to kill shells started from pop3d or something similar. Sebastian
Mit freundlichen Grüssen
Florian Meyer-Kassel
---
Combax Aktiengesellschaft Florian Meyer-Kassel Server Administration Max-Eyth-Strasse 35 D-71088 Holzgerlingen
T: +49.7031.741015-0 F: +49.7031.741015-99 E: f.meyer-kassel@combax.de
---
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager.
-- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~
participants (9)
-
Appeldorn -
Boris Lorenz -
Florian Meyer-Kassel -
jfweber@eternal.net -
Kurt Seifried -
Markus Gaugusch -
Peter Poeml -
Roman Drahtmueller -
Sebastian Krahmer