hi i've written a script that logs all the commands execurited by a user, his terminal, the time, the direcotry... i dont use the bash_history but the history itself. now the question is will the history be reliable, will it be moreuseful than .bash_history , will it be legal. also because the script is execurted as the user itself, i'm forced to append the command history to a file which has chattr +a attribute set. so the user can put anything in the file. any ideas to make it stealthy ?, btw, i'm using prompt_command varialble. here's the script.. #!/bin/sh COMM=`history 1| awk '{ for(i=2;i<=NF;i++) { printf "%s ",$i } }'` echo "`date`:`tty`:$USER:$PWD:$COMM" >> /tmp/comlog should i make /etc/profile.local exec only ? cheers cheedu
On Wed, 16 Aug 2000, Sridhar wrote:
i've written a script that logs all the commands execurited by a user, his terminal, the time, the direcotry... i dont use the bash_history but the history itself. now the question is will the history be reliable, will it be moreuseful than .bash_history , will it be legal. also because the script is execurted as the user itself, i'm forced to append the command history to a file which has chattr +a attribute set. so the user can put anything in the file. any ideas to make it stealthy ?, btw, i'm using prompt_command varialble.
Hello cheedu (or Sridhar), I don't know if this is legal, but some little thoughts about the other points: - a webcam behind the terminal (hidden of course) is also a very good choice ;) - who will read /tmp/comlog, you have already enough in /var/log - if someone gets root and forgot to look into the environment (HISTFILE etc), the you can get him just by his .bash_histfile. If he is not too bad, he will delete his traces, all. - you can execute commands also via a lot of applications (X-clients etc), that don't leave traces like in histfile etc Résumé: don't do it, it's not useful, and nobody likes the "Big Brother" Cheers, Peter -- Peter Münster http://w3pm.stormloader.com/ *** Sign now: http://petition.eurolinux.org/ ***
On Wed, 16 Aug 2000, Sridhar wrote:
hi i've written a script that logs all the commands execurited by a user, his terminal, the time, the direcotry... i dont use the bash_history but the history itself. now the question is will the history be reliable, will it be moreuseful than .bash_history , will it be legal. also because the script is execurted as the user itself, i'm forced to append the command history to a file which has chattr +a attribute set. so the user can put anything in the file. any ideas to make it stealthy ?, btw, i'm using prompt_command varialble.
perhaps you will find ojnk's patch for bash stealthy enough.. it's available at http://ojnk.sourceforge.net/ and here's what it says in the readme file: This patch to bash will: * Log all user commands to (by default) /var/log/histories/<pw_name> (I chown each user's logfile to them, chmod 200 it and set it append-only) * Disallows (and logs) execution attempts when: * uid != euid * gid != egid * stdin is a socket (this will break programs such as rsh) * Implements a high uid and gid such that if the shell is executed with a uid or gid higher than that limit, the shell will close and log the attempt. (I run network daemons with a high gid) -- _ _ _|_ o._ o _ _)(_) |_ || |_>
this is a very primitive and shamefull question that i have: how do i patch bash? i have bash source, and i am using patch, but either i dont know the syntax, or i dont know what, but i cannot patch bash... and i read patch man pages, and i still dont get it. can someone help me out a bit with this patching bussiness? thanks On Thu, 17 Aug 2000, Sotiris Tsimbonis wrote:
On Wed, 16 Aug 2000, Sridhar wrote:
hi i've written a script that logs all the commands execurited by a user, his terminal, the time, the direcotry... i dont use the bash_history but the history itself. now the question is will the history be reliable, will it be moreuseful than .bash_history , will it be legal. also because the script is execurted as the user itself, i'm forced to append the command history to a file which has chattr +a attribute set. so the user can put anything in the file. any ideas to make it stealthy ?, btw, i'm using prompt_command varialble.
perhaps you will find ojnk's patch for bash stealthy enough.. it's available at http://ojnk.sourceforge.net/ and here's what it says in the readme file:
This patch to bash will:
* Log all user commands to (by default) /var/log/histories/<pw_name> (I chown each user's logfile to them, chmod 200 it and set it append-only)
* Disallows (and logs) execution attempts when: * uid != euid * gid != egid * stdin is a socket (this will break programs such as rsh)
* Implements a high uid and gid such that if the shell is executed with a uid or gid higher than that limit, the shell will close and log the attempt. (I run network daemons with a high gid)
-- _ _ _|_ o._ o _ _)(_) |_ || |_>
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
hi you mean the patch that Sotiris gave or the one that i've put ? cheers cheedu On Mon, 21 Aug 2000, max wrote:
this is a very primitive and shamefull question that i have: how do i patch bash? i have bash source, and i am using patch, but either i dont know the syntax, or i dont know what, but i cannot patch bash... and i read patch man pages, and i still dont get it. can someone help me out a bit with this patching bussiness? thanks
On Thu, 17 Aug 2000, Sotiris Tsimbonis wrote:
On Wed, 16 Aug 2000, Sridhar wrote:
hi i've written a script that logs all the commands execurited by a user, his terminal, the time, the direcotry... i dont use the bash_history but the history itself. now the question is will the history be reliable, will it be moreuseful than .bash_history , will it be legal. also because the script is execurted as the user itself, i'm forced to append the command history to a file which has chattr +a attribute set. so the user can put anything in the file. any ideas to make it stealthy ?, btw, i'm using prompt_command varialble.
perhaps you will find ojnk's patch for bash stealthy enough.. it's available at http://ojnk.sourceforge.net/ and here's what it says in the readme file:
This patch to bash will:
* Log all user commands to (by default) /var/log/histories/<pw_name> (I chown each user's logfile to them, chmod 200 it and set it append-only)
* Disallows (and logs) execution attempts when: * uid != euid * gid != egid * stdin is a socket (this will break programs such as rsh)
* Implements a high uid and gid such that if the shell is executed with a uid or gid higher than that limit, the shell will close and log the attempt. (I run network daemons with a high gid)
-- _ _ _|_ o._ o _ _)(_) |_ || |_>
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- -- Domain name : cheedu.dyndns.org Smile... Tomorrow will be worse ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
i am talking about the patch from sourceforge, the ojnk one.. if i try to compile bash after patching it, i get segfault in make for some reason.. i tried this with both bash 2.02 and bash 2.03.. no idea why this happens. On Tue, 22 Aug 2000, Sridhar wrote:
hi you mean the patch that Sotiris gave or the one that i've put ?
cheers cheedu
On Mon, 21 Aug 2000, max wrote:
this is a very primitive and shamefull question that i have: how do i patch bash? i have bash source, and i am using patch, but either i dont know the syntax, or i dont know what, but i cannot patch bash... and i read patch man pages, and i still dont get it. can someone help me out a bit with this patching bussiness? thanks
On Thu, 17 Aug 2000, Sotiris Tsimbonis wrote:
On Wed, 16 Aug 2000, Sridhar wrote:
hi i've written a script that logs all the commands execurited by a user, his terminal, the time, the direcotry... i dont use the bash_history but the history itself. now the question is will the history be reliable, will it be moreuseful than .bash_history , will it be legal. also because the script is execurted as the user itself, i'm forced to append the command history to a file which has chattr +a attribute set. so the user can put anything in the file. any ideas to make it stealthy ?, btw, i'm using prompt_command varialble.
perhaps you will find ojnk's patch for bash stealthy enough.. it's available at http://ojnk.sourceforge.net/ and here's what it says in the readme file:
This patch to bash will:
* Log all user commands to (by default) /var/log/histories/<pw_name> (I chown each user's logfile to them, chmod 200 it and set it append-only)
* Disallows (and logs) execution attempts when: * uid != euid * gid != egid * stdin is a socket (this will break programs such as rsh)
* Implements a high uid and gid such that if the shell is executed with a uid or gid higher than that limit, the shell will close and log the attempt. (I run network daemons with a high gid)
-- _ _ _|_ o._ o _ _)(_) |_ || |_>
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- -- Domain name : cheedu.dyndns.org
Smile... Tomorrow will be worse
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
i've written a script that logs all the commands execurited by a user, his terminal, the time, the direcotry... i dont use the bash_history but the history itself. now the question is will the history be reliable, will it be moreuseful than .bash_history , will it be legal. also because the script is execurted as the user itself, i'm forced to append the command history to a file which has chattr +a attribute set. so the user can put anything in the file. any ideas to make it stealthy ?, btw, i'm using prompt_command varialble.
There have been some good suggestions, though they'd be really easy to get around (python, perl, running another shell on top of the current one, etc). I'm not sure how much it logs, but there's a kernel module (maybe it can be built-in now?) called exec.c, http://home.xnet.com/~perly/exec.c . It logs stuff to kern.info like this: EXECVE(UID)[PID]: program arg1 arg2 ... argN I'm guessing you could set up one of the alternate sysloggers to sort out different users, etc. It works on the kernel level, so it'd be pretty hard to get around. -Brian (patiently awaiting 400 billion I'm-on-vacation messages :) ) (4th try on forging mail from myself now :) )
participants (6)
-
brian-suse@delta.stech.cx -
max -
Peter Münster -
Sotiris Tsimbonis -
Sridhar -
Sridhar