PaulDotCom mailing list archives
Re: A logging root shell
From: Kevin Shortt <kevinshortt () gmail com>
Date: Mon, 12 Dec 2011 11:26:57 -0500
Also... a down side of capturing STDOUT (like with the script command) has confidentiality issues with auditors. Capturing confidential STDOUT data for later review by staff (say...log review staff), then there is a greater risk of confidential (possibly classified data) being breached by a common vector. Capturing STDIN and NOT STDOUT is an optimal control for accountability. HTH -Kevin On Tue, Dec 6, 2011 at 12:29 AM, Edward Frye <email () edwardfrye com> wrote:
In a previous life, I had a shell setup with something like exec script -c "/bin/bash --login" -f -q /logs/script.$USER.`date +%y%m%dT%H%M%S`.log The "exec" exits the current shell when launching the "script" command, so when the person exists the "bash --login" they are logged out of the box. There is a problem with this and that is if someone stays online for a long time and or they cat/tail large files, their output log gets really big. But you can see everything they see. How you could combine this with the syslog function, and see everything they see, and seperately what they type on the command line. On Mon, Dec 5, 2011 at 5:29 PM, Jon Schipp <jonschipp () gmail com> wrote:Just for fun: Thought of this for a quick solution but would/could be defeated easily. mkdir ~/.scripts echo 'script -q .scripts/$USER-`date +'%y-%m-%d_%M%S'`' >> ~/.profile or ~/.bash_profile and/or to ~./bashrc Script spawns a subshell so they could just issue 'exit' or 'logout' and get back to the parent shell. For that: alias exit='exit;exit' and alias logout='exit;exit' Probably have to do the same for ^D not sure how you would do that, you may be able to set two control sequences with stty. You could probably set traps on the subshell so they can't use various control characters. On Tue, Nov 22, 2011 at 6:26 PM, Jim Halfpenny <jim.halfpenny () gmail com>wrote:You can also evade this by running commands from within another program such as vi or by using the perl or python interpreter. Process accounting will record the commands that were executed but not any of the arguments. Hooking they exec system call might be a nice way to capture activity. Just some thoughts. Cheers, Jim On 22 November 2011 22:20, Champ Clark III [Quadrant] < cclark () quadrantsec com> wrote:Pretty cool. However, with the built in bash syslog of history, there's no way to evade and not scripting required. Of course, If you aren't using bash, then it really doesn't matter. Another point, when I do it with the built in bash syslog of history, I make sure I don't have any other shell's installed. It's be trivial to evade if the user just runs ash/ksh/csh/tcsh :) On Nov 22, 2011, at 2:01 PM, Nils wrote: Thanks for your valuable feedback! I got an other neat approach off-list which I want to share with you: [Quote] The step we use to pass that PCI requirement for linux is to put the following inside of /etc/profile PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo $$ $USER "$(history 1)" | logger -p local2.info -t "shell_history"' logger being the transport to syslog/syslog-ng/rsyslog. There are some sly tricks to evade it, but this will pass their requirement. Just make sure the syslogging facility you use is sending and logging it on a separate machine. I prefer rsyslog. [\Quote] Cheers, Nils Am 21.11.2011 17:03, schrieb Nils: Hi guys, I´m looking into solutions to comply with PCI DSS requirement 10.2.2: (Logging: All actions taken by any individual with root or administrative privileges) especially on Linux systems. Therefore I´ve checked for ways to provide a shell which is logging all actions taken. I stumbled upon stuff like: mkfifo myfifo; logger -f myfifo & script -f myfifo rootsh sudoshell (ss) What are your experiences in this realm? Best solution would be something done with on-board means or a provided package of the Linux distribution, in this case Debian. Thanks! Nils _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com Champ Clark III (office) 904.253.7856 (mobile) 850.443.2440 (SOC) 800.538.9357 ext 101 cclark () quadrantsec com www.quadrantsec.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- - Jon -- ------------------------------------------------------------------ VMB: 812-682-0231 Dubois County Linux User Group - http://www.dclinux.org Southern Indiana Computer Klub - http://sickbits.networklabs.org Bloomington FOOLS - http://www.bloomingtonfools.org/ BloomingLabs - http://www.bloominglabs.org ISSA-Kentuckiana - http://issa-kentuckiana.org GPG Key ID: 810903CB Key fingerprint = 0069 ED69 EABB DF84 5983 AD3C 6C20 BEFD 8109 03CB _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- A logging root shell Nils (Nov 21)
- Re: A logging root shell Owen Connolly (Nov 21)
- Re: A logging root shell Champ Clark III [Quadrant] (Nov 21)
- Re: A logging root shell Matt Erasmus (Nov 21)
- Re: A logging root shell Kevin Shaw (Nov 22)
- A logging root shell Nils (Nov 22)
- Re: A logging root shell Champ Clark III [Quadrant] (Nov 22)
- Re: A logging root shell Jim Halfpenny (Nov 22)
- Re: A logging root shell Jon Schipp (Dec 05)
- Re: A logging root shell Edward Frye (Dec 05)
- Re: A logging root shell Kevin Shortt (Dec 13)
- Re: A logging root shell Champ Clark III [Quadrant] (Nov 22)
- Re: A logging root shell Owen Connolly (Nov 21)
- <Possible follow-ups>
- Re: A logging root shell Geordy Rostad (Nov 22)
- Re: A logging root shell Mike Harris (Nov 22)
- Re: A logging root shell Nils (Nov 22)