Log/Audit all user commands
Hi, I am having a little problem I need to solve quickly. I have one intruder (long to explain now) which edited the passwd file and set his user with 0 id (as root). I don't want to block him. I want to log all his actions, moves, commands, etc. How can I do that? Thanks in advance! ------------ Internet GRATIS es Yahoo! Conexión 4004-1010 desde Buenos Aires. Usuario: yahoo; contraseña: yahoo Más ciudades: http://conexion.yahoo.com.ar
Ricardo Toma wrote:
I want to log all his actions, moves, commands, etc. How can I do that?
Hints: If you have a kernel compiled with the 'BSD accounting' option, start accounting via '/etc/init.d/acct start'. But it's a PITA to find out what he's done from the protocol file acct generates... If he's using bash and is stupid enough to have a .bash_history in his home, set a (hard) link to that file and set his HISTFILESIZE environment variable to 5000 or higher. Take a look at the man page of script... If he logs in from console, a tty sniffer would be interesting :) If he's coming from outside, you may want to use 'tcpdump -s 0' or another fine sniffer to log all his activity. Anyway, I wouldn't let him play with my box for a long time... HTH GTi
On Wed, 28 May 2003, Ricardo Toma wrote:
Hi, I am having a little problem I need to solve quickly. I have one intruder (long to explain now) which edited the passwd file and set his user with 0 id (as root). I don't want to block him. I want to log all his actions, moves, commands, etc. How can I do that?
What about setting up a script to email his bash log file (and other log files) to your external email account, on a seperate remote machine, each time he does something? Would this be a safe thing to do? Don't want to email rogue scripts to other peoples mail servers. You should have copies of his logs then, that he is not able to delete. You can retrieve them, when you collect your email from the remote mail server. Just an idea. I have not tried this in practice, as I'm the only user (AFAIK!) on my machine. I don't know what security issues would be involved. You would get a new email for each action performed bt the attacker. You could then check and delete the emailed log files, and save the ones you want to keep for later use. Regards - Keith Roberts PS are you using the shadow password suite as well?
Fisrt: I answered privatly to <lists@nolog.org> because of an error. I don't have the "sent emails" here in Yahoo. Maybe <lists@nolog.org> would be so kind to resend my email to the list? I am sorry... Second: That's a good idea! Is bash_history effective? How would you write that script? What's "shadow password suite"? Thanks!! --- keith@topaz5.worldonline.co.uk escribió: >
On Wed, 28 May 2003, Ricardo Toma wrote:
Hi, I am having a little problem I need to solve quickly. I have one intruder (long to explain now) which edited the passwd file and set his user with 0 id (as root). I don't want to block him. I want to log all his actions, moves, commands, etc. How can I do that?
What about setting up a script to email his bash log file (and other log files) to your external email account, on a seperate remote machine, each time he does something? Would this be a safe thing to do? Don't want to email rogue scripts to other peoples mail servers.
You should have copies of his logs then, that he is not able to delete.
You can retrieve them, when you collect your email from the remote mail server.
Just an idea. I have not tried this in practice, as I'm the only user (AFAIK!) on my machine. I don't know what security issues would be involved.
You would get a new email for each action performed bt the attacker.
You could then check and delete the emailed log files, and save the ones you want to keep for later use.
Regards - Keith Roberts
PS are you using the shadow password suite as well?
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
------------ Internet GRATIS es Yahoo! Conexión 4004-1010 desde Buenos Aires. Usuario: yahoo; contraseña: yahoo Más ciudades: http://conexion.yahoo.com.ar
Hello Ricardo, Ricardo Toma wrote:
Fisrt: I answered privatly to <lists@nolog.org> because of an error.
my name is Martin. Some people gave me other, emm, names I don't want to mention here, but you are the first calling me lists@nolog.org...
I don't have the "sent emails" here in Yahoo. Maybe <lists@nolog.org> would be so kind to resend my email to the list? I am sorry...
No problem. Here we go: Ricardo Toma wrote:
--- Martin Peikert <lists@nolog.org> escribió: > Ricardo Toma wrote
If he logs in from console, a tty sniffer would be interesting :)
What's a tty sniffer?
A tty sniffer logs all outgoing commands from a console. Take a look at ttysnoop - see http://www.linuxhelp.ca/guides/ttysnoop/
If he's coming from outside, you may want to use 'tcpdump -s 0' or another fine sniffer to log all his activity.
That's quite interesting but it's a little complicated to really 'see' what he is doing. And more if he uses SSH.
Right.
Isn't there a already programmed app that simply logs all the user commands (better that history_bash) and saves it into a secure place?
No place on your box is secure if his uid is 0. Try to log to another host, if you're in a network.
And that the user can't delete it? Or sends it by mail?
If he's inexpierienced, maybe 'chattr +a' would help to keep him from deleting logs...
Anyway, I wouldn't let him play with my box for a long time...
...remember, some seconds are enough to type 'cd /' and 'rm -fr *'. Do us all a favour: unplug the fucking cable and rebuild from scratch. HTH GTi
Second: That's a good idea! Is bash_history effective?
Not if your intruder has root access. All bash_history does is keep a record of keyboard strokes, in a plain text file.
How would you write that script?
That's just an idea I suggested. Someone else may have one written already. I don't have one. you may be able to use perl. I'm into PHP4 at the moment.
What's "shadow password suite"?
Shadow password suite is on SuSE 8.1 CD-ROMS. logon as root and in yast you will find it under software install/delete. It seems to be installed by default on 8.1 pro. Check out the general Security Quick-Start HOWTO for Linux by Hal Burgiss. I think he mentions shadow passwords in there somewhere. Basically shadow makes an encrypted copy of your normal password files, and uses them instead of the standard ones, so making it ALOT harder for intruders to change password permissions. Your best bet is to re-install you system, and build some security measures into it before you get hacked. There's alot of security stuff on the installation CD-ROMS. Regards - Keith Roberts.
participants (3)
-
keith@topaz5.worldonline.co.uk -
Martin Peikert -
Ricardo Toma