Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: History Files

From: Boris.Sagadin () AMIS NET (Boris Sagadin)
Date: Mon, 17 Apr 2000 12:28:55 +0200


I guess that this thread has been done to death by now, but I just wanted
to add a couple of ideas.  Would it be possible to wrap the exec()
syscalls, and write the UID and exec() args to syslog?  This would safely
write a log of all successful AND un-successful commands to a location
that is untouchable by non-root users.  I guess that you could even get
the call wrapper to check the return code from exec and write this to
syslog also.


 Not only possible, this has already been done, fox 2.x kernels anyway:

 * exec.c 1.0.4 by Pat Szuta <perly () xnet com>
 *
 * exec.c is a kernel module which allows administrators to log all the
 * commands executed by users.  Although many have done this sort of
 * thing,  I haven't seen any public releases, so here it is.
 * The basic output looks like this:
Nov 15 00:42:27 perly kernel: EXECVE(0)[4837]: /bin/ps uax
 * The EXECVE()[] format is: EXECVE(UID)[PID].
 * I suggest redirecting kern.info to your own file, because that's where
 * exec.c will log its stuff. You can do this by adding this line to
 * your /etc/sysconf.log, and restarting it:
kern.info /path/to/myfile
...
...

exec.c should be available somewhere on packetstorm, or I can send it on
request.
Previous By Date Next
Previous By Thread Next

Current thread: