Logging user commands to syslog

[kashani]

Heard rumors of a bash patch that allows this and supposedly zsh does can do it as well. Anyone played with this or have a howto you can point me too.

kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape.

[nephros]

Please explain a bit better.
What do you want to do? Log everything any user does to syslog? (Which would be quite anal methinks )

Or do you just want users to be able to write something to syslog? That's what the "logger" command is for.
_________________
Please put [SOLVED] in your topic if you are a moron.

[kashani]

Nope, I'm being anal. These are production boxes and the plan is to have a number of web developers, and I use the term loosely, written up for not following the change control procedures.

In any case, yes I'd like to log all commands typed in the shell to syslog with a timestamp and user who did it. I'd think it might look like this

www01 root # more /var/log/bash/bash.log
tom - pts/1 - [26/Feb/2004:01:03:15 -0800] ls -la
tom - pts/1 - [26/Feb/2004:01:03:19 -0800] more /etc/resolv.conf
bob - pts/0 - [26/Feb/2004:01:05:11 -0800] vi /etc/apache/conf/httpd.conf

kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape.

[malloc]

Well i don't know about the timestamps but you can do a small script to dump the bash history log into a file.
Something like

[nephros]

I tried fooling around with the $PS1 bash variable (the prompt command). You can embed a command there and it will be executed every time the user hits return.
I didn't get it to work right now but I'm pretty sure it's possible to do the logging there.
After that all you have to do is prevent the user from changing $PS1 (by using a restricted bash)
There is probably a better and more reliable solution but this appears to be quite elegant.

EDIT: http://www.netsys.com/suse-linux-security/2003/05/msg00285.html
The "acct" tools are in portage.
_________________
Please put [SOLVED] in your topic if you are a moron.

[rewt]

[kashani]

None of this is workable because they all lack difinitive time stamps. What's the point if you can't tell when someone did something. Going through the link posted gave me a few ideas of searches to try and I did find this.

http://www.ccitt5.net/archives/bash-bofh-2.05b-0.0.1.tar.gz
What this patch does is basically to log commands run from bash to syslog
under the USER facility, the advantages of this is that a program does not
need elevated privileges to send to syslog, so a shell run by a user can log
the commands the users issues to syslog but(providing you have sane syslog
file permissions) the user cannot modify or erase logentries like they can
with their .bash_history which contains pretty much the same information but
is owned by the user in his home directory and also is possible to evade by
setting the HISTFILE variable to NULL.

There are a number or ways to get around this, but I think it's good enough to smack the developers around a bit without having to resort to kernel level accounting and the performance hit that usually goes with it. Not to mention if they were smart enough to avoid accounting they'd be smart enough not to try new ideas on production servers.

kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape.

[malloc]

kashani i think you've striked gold here...
This patch seems to have a lot of potential...
I agree with you in the fact that it's a bit stupid that something like this isn't implemented by default in such a wide used shell as bash is.
Perhaps if we contact the devs they could put this feature in a new release.