Re: A logging root shell

[Kevin Shortt <kevinshortt () gmail com>]

Also... a down side of capturing STDOUT (like with the script command) has
confidentiality issues with auditors.  Capturing confidential STDOUT data
for later review by staff (say...log review staff), then there is a greater
risk of confidential (possibly classified data) being breached by a common
vector.

Capturing STDIN and NOT STDOUT is an optimal control for accountability.

HTH

-Kevin




On Tue, Dec 6, 2011 at 12:29 AM, Edward Frye <email () edwardfrye com> wrote:

> In a previous life, I had a shell setup with something like
>
> exec script -c "/bin/bash --login" -f -q /logs/script.$USER.`date
> +%y%m%dT%H%M%S`.log
>
> The "exec" exits the current shell when launching the "script" command, so
> when the person exists
> the "bash --login" they are logged out of the box.
>
> There is a problem with this and that is if someone stays online for a
> long time and or they cat/tail
> large files, their output log gets really big. But you can see everything
> they see.
>
> How you could combine this with the syslog function, and see everything
> they see, and seperately
> what they type on the command line.
>
>
>
> On Mon, Dec 5, 2011 at 5:29 PM, Jon Schipp <jonschipp () gmail com> wrote:
>
> > Just for fun:
> >
> > Thought of this for a quick solution but would/could be defeated easily.
> >
> > mkdir ~/.scripts
> > echo 'script -q .scripts/$USER-`date +'%y-%m-%d_%M%S'`' >> ~/.profile or
> > ~/.bash_profile and/or to ~./bashrc
> >
> > Script spawns a subshell so they could just issue 'exit' or 'logout' and
> > get back to the parent shell.
> > For that: alias exit='exit;exit' and alias logout='exit;exit'
> >
> > Probably have to do the same for ^D not sure how you would do that, you
> > may be able to set two control sequences with stty.
> >
> > You could probably set traps on the subshell so they can't use various
> > control characters.
> >
> >
> >
> > On Tue, Nov 22, 2011 at 6:26 PM, Jim Halfpenny <jim.halfpenny () gmail com>wrote:
> >
> > > You can also evade this by running commands from within another program
> > > such as vi or by using the perl or python interpreter. Process accounting
> > > will record the commands that were executed but not any of the arguments.
> > > Hooking they exec system call might be a nice way to capture activity. Just
> > > some thoughts.
> > >
> > > Cheers,
> > > Jim
> > >
> > >
> > > On 22 November 2011 22:20, Champ Clark III [Quadrant] <
> > > cclark () quadrantsec com> wrote:
> > >
> > > > Pretty cool.  However,  with the built in bash syslog of history,
> > > >  there's no way to evade and not scripting required.  Of course,  If you
> > > > aren't using bash,  then it really doesn't matter.
> > > >
> > > > Another point,  when I do it with the built in bash syslog of history,
> > > >  I make sure I don't have any other shell's installed.  It's be trivial to
> > > > evade if the user just runs ash/ksh/csh/tcsh :)
> > > >
> > > > On Nov 22, 2011, at 2:01 PM, Nils wrote:
> > > >
> > > >  Thanks for your valuable feedback!
> > > > I got an other neat approach off-list which I want to share with you:
> > > >
> > > > [Quote]
> > > > The step we use to pass that PCI requirement for linux is to put the
> > > > following inside of /etc/profile
> > > > PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo $$ $USER
> > > > "$(history 1)" | logger -p local2.info -t "shell_history"'
> > > > logger being the transport to syslog/syslog-ng/rsyslog.
> > > > There are some sly tricks to evade it, but this will pass their
> > > > requirement.  Just make sure the syslogging facility you use is sending and
> > > > logging it on a separate machine.
> > > > I prefer rsyslog.
> > > > [\Quote]
> > > >
> > > > Cheers,
> > > > Nils
> > > >
> > > > Am 21.11.2011 17:03, schrieb Nils:
> > > >
> > > > Hi guys,
> > > > I´m looking into solutions to comply with PCI DSS requirement 10.2.2:
> > > > (Logging: All actions taken by any individual with root or administrative
> > > > privileges)  especially on Linux systems.
> > > > Therefore I´ve checked for ways to provide a shell which is logging all
> > > > actions taken.
> > > > I stumbled upon stuff like:
> > > > mkfifo myfifo; logger -f myfifo & script -f myfifo
> > > > rootsh
> > > > sudoshell (ss)
> > > >
> > > > What are your experiences in this realm?
> > > > Best solution would be something done with on-board means or a provided
> > > > package of the Linux distribution, in this case Debian.
> > > >
> > > >
> > > > Thanks!
> > > > Nils
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom () mail pauldotcom com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > > >
> > > >
> > > >  _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom () mail pauldotcom com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > > >
> > > >
> > > >
> > > >
> > > > Champ Clark III
> > > > (office) 904.253.7856
> > > > (mobile) 850.443.2440
> > > > (SOC) 800.538.9357 ext 101
> > > > cclark () quadrantsec com
> > > > www.quadrantsec.com
> > > >
> > > >
> > > > _______________________________________________
> > > > Pauldotcom mailing list
> > > > Pauldotcom () mail pauldotcom com
> > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > > Main Web Site: http://pauldotcom.com
> > >
> > >
> > > _______________________________________________
> > > Pauldotcom mailing list
> > > Pauldotcom () mail pauldotcom com
> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > > Main Web Site: http://pauldotcom.com
> >
> >
> >
> > --
> > - Jon
> > --
> > ------------------------------------------------------------------
> >
> > VMB: 812-682-0231
> >
> > Dubois County Linux User Group - http://www.dclinux.org
> > Southern Indiana Computer Klub - http://sickbits.networklabs.org
> > Bloomington FOOLS - http://www.bloomingtonfools.org/
> > BloomingLabs -  http://www.bloominglabs.org
> > ISSA-Kentuckiana  -  http://issa-kentuckiana.org
> >
> > GPG Key ID: 810903CB
> > Key fingerprint = 0069 ED69 EABB DF84 5983  AD3C 6C20 BEFD 8109 03CB
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom () mail pauldotcom com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com