View previous topic :: View next topic |
Author |
Message |
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Thu Feb 26, 2004 7:34 am Post subject: Logging user commands to syslog |
|
|
Heard rumors of a bash patch that allows this and supposedly zsh does can do it as well. Anyone played with this or have a howto you can point me too.
kashani _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
nephros Advocate
Joined: 07 Feb 2003 Posts: 2139 Location: Graz, Austria (Europe - no kangaroos.)
|
Posted: Thu Feb 26, 2004 11:04 am Post subject: |
|
|
Please explain a bit better.
What do you want to do? Log everything any user does to syslog? (Which would be quite anal methinks )
Or do you just want users to be able to write something to syslog? That's what the "logger" command is for. _________________ Please put [SOLVED] in your topic if you are a moron. |
|
Back to top |
|
|
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Thu Feb 26, 2004 12:10 pm Post subject: |
|
|
Nope, I'm being anal. These are production boxes and the plan is to have a number of web developers, and I use the term loosely, written up for not following the change control procedures.
In any case, yes I'd like to log all commands typed in the shell to syslog with a timestamp and user who did it. I'd think it might look like this
www01 root # more /var/log/bash/bash.log
tom - pts/1 - [26/Feb/2004:01:03:15 -0800] ls -la
tom - pts/1 - [26/Feb/2004:01:03:19 -0800] more /etc/resolv.conf
bob - pts/0 - [26/Feb/2004:01:05:11 -0800] vi /etc/apache/conf/httpd.conf
kashani _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
malloc l33t
Joined: 19 Sep 2003 Posts: 762
|
Posted: Thu Feb 26, 2004 12:16 pm Post subject: |
|
|
Well i don't know about the timestamps but you can do a small script to dump the bash history log into a file.
Something like
Code: |
history >> /var/log/bash/user.log
|
AFAIK you need to create one of these to each user, then just put them in the user's crontab and voila. Try man bash as it has some interesting topics on how to tweak the history log. |
|
Back to top |
|
|
nephros Advocate
Joined: 07 Feb 2003 Posts: 2139 Location: Graz, Austria (Europe - no kangaroos.)
|
Posted: Thu Feb 26, 2004 12:59 pm Post subject: |
|
|
I tried fooling around with the $PS1 bash variable (the prompt command). You can embed a command there and it will be executed every time the user hits return.
I didn't get it to work right now but I'm pretty sure it's possible to do the logging there.
After that all you have to do is prevent the user from changing $PS1 (by using a restricted bash)
There is probably a better and more reliable solution but this appears to be quite elegant.
EDIT: http://www.netsys.com/suse-linux-security/2003/05/msg00285.html
The "acct" tools are in portage. _________________ Please put [SOLVED] in your topic if you are a moron. |
|
Back to top |
|
|
rewt n00b
Joined: 19 Feb 2004 Posts: 58
|
Posted: Thu Feb 26, 2004 1:56 pm Post subject: |
|
|
malloc wrote: | Well i don't know about the timestamps but you can do a small script to dump the bash history log into a file.
Something like
Code: |
history >> /var/log/bash/user.log
|
AFAIK you need to create one of these to each user, then just put them in the user's crontab and voila. Try man bash as it has some interesting topics on how to tweak the history log. |
Interesting idea but what would stop the user simply removing it from their crontab? _________________ Because sometimes peace is another word for surrender... and secrets have a way of getting out |
|
Back to top |
|
|
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Thu Feb 26, 2004 10:28 pm Post subject: |
|
|
None of this is workable because they all lack difinitive time stamps. What's the point if you can't tell when someone did something. Going through the link posted gave me a few ideas of searches to try and I did find this.
http://www.ccitt5.net/archives/bash-bofh-2.05b-0.0.1.tar.gz
What this patch does is basically to log commands run from bash to syslog
under the USER facility, the advantages of this is that a program does not
need elevated privileges to send to syslog, so a shell run by a user can log
the commands the users issues to syslog but(providing you have sane syslog
file permissions) the user cannot modify or erase logentries like they can
with their .bash_history which contains pretty much the same information but
is owned by the user in his home directory and also is possible to evade by
setting the HISTFILE variable to NULL.
There are a number or ways to get around this, but I think it's good enough to smack the developers around a bit without having to resort to kernel level accounting and the performance hit that usually goes with it. Not to mention if they were smart enough to avoid accounting they'd be smart enough not to try new ideas on production servers.
kashani _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
malloc l33t
Joined: 19 Sep 2003 Posts: 762
|
Posted: Sat Feb 28, 2004 11:26 am Post subject: |
|
|
kashani i think you've striked gold here...
This patch seems to have a lot of potential...
I agree with you in the fact that it's a bit stupid that something like this isn't implemented by default in such a wide used shell as bash is.
Perhaps if we contact the devs they could put this feature in a new release. |
|
Back to top |
|
|
|