[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Need an method of recording command line operations for auditing purposes



In Gentoo there is a use keyword to turn on command logging to syslog. Below
is the patch file in case you were interested...

$ cat /usr/portage/app-shells/bash/files/bash-3.1-bash-logger.patch

Add support for logging bash commands via syslog().
Useful for deploying in honeypot environments.

http://bugs.gentoo.org/91327
http://www.nardware.co.uk/Security/html/bashlogger.htm

--- bashhist.c
+++ bashhist.c
@@ -705,7 +705,7 @@
 {
   hist_last_line_added = 1;
   hist_last_line_pushed = 0;
-  add_history (line);
+  add_history (line, 1);
   history_lines_this_session++;
 }

--- lib/readline/histexpand.c
+++ lib/readline/histexpand.c
@@ -1222,9 +1222,7 @@

   if (only_printing)
     {
-#if 0
-      add_history (result);
-#endif
+      add_history (result, 1);
       return (2);
     }

--- lib/readline/histfile.c
+++ lib/readline/histfile.c
@@ -262,7 +262,7 @@
   {
     if (HIST_TIMESTAMP_START(line_start) == 0)
       {
- add_history (line_start);
+ add_history (line_start, 0);
  if (last_ts)
   {
     add_history_time (last_ts);
--- lib/readline/history.c
+++ lib/readline/history.c
@@ -31,6 +31,8 @@

 #include <stdio.h>

+#include <syslog.h>
+
 #if defined (HAVE_STDLIB_H)
 #  include <stdlib.h>
 #else
@@ -246,10 +250,23 @@
 /* Place STRING at the end of the history list.  The data field
    is  set to NULL. */
 void
-add_history (string)
-     const char *string;
+add_history (string, logme)
+     const char *string;
+     int logme; /* 0 means no sending history to syslog */
 {
   HIST_ENTRY *temp;
+  if (logme) {
+    char trunc[600]; /* arbitrary max size of 600 bytes */
+    if (strlen(string) < sizeof(trunc)) {
+      syslog(LOG_LOCAL5 | LOG_INFO, "HISTORY: PID=%d UID=%d %s",
+        getpid(), getuid(), string);
+    } else {
+      memcpy(trunc, string, sizeof(trunc));
+      trunc[sizeof(trunc) - 1] = '\0';
+      syslog(LOG_LOCAL5 | LOG_INFO, "HISTORY: PID=%d UID=%d %s(++TRUNC)",
+        getpid(), getuid(), trunc);
+    }
+  }

   if (history_stifled && (history_length == history_max_entries))
     {
--- lib/readline/history.h
+++ lib/readline/history.h
@@ -80,7 +80,7 @@

 /* Place STRING at the end of the history list.
    The associated data field (if any) is set to NULL. */
-extern void add_history PARAMS((const char *));
+extern void add_history PARAMS((const char *, int ));

 /* Change the timestamp associated with the most recent history entry to
    STRING. */



On Wed, Jun 16, 2010 at 8:37 PM, Chris Fowler
<cfowler at outpostsentinel.com>wrote:

> On Wed, 2010-06-16 at 16:02 -0400, James Taylor wrote:
> > the acct package is part of the distribution.
> > I need to look at in more depth, but it looks promising.
> > -jt
> >
> > >>> "James Taylor" <James.Taylor at eastcobbgroup.com> 6/16/2010  09:50 AM
> >>>
> > Is there a good method for auditing command line operations, similar to
> bash_history that is not accessible to the user? bash_hisory is functional,
> but can be edited or deleted by the user.
> > Something that is included with a SLES distribution is highly desirable,
> but if there are some good options, one of them may already be there.
> > I've had one suggestion for snoopy, but I don't think it's included with
> SLES.
> > Thanks,
> > -jt
> >
>
> You might try to incorporate an exec of script into their bash_profile.
> First try it with hidden directories in the home.
>
> # bash_profile
>
> # Stuff here
>
> mkdir ~/.audit
> exec script -qf ~/.audit/script.`date +%s`
>
> -q is quiet to not alert them
> -f flushes after each write so that you could be on another terminal and
> executing tail -f against the file.
>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100617/b5190d0a/attachment.html