On Tue, Oct 28, 2003 at 10:56:53PM -0500, Dan MacNeil wrote: > > For a box that will have limited shell access, I'm looking for something > that will log all commands. The sudo log is nice but not everything is run > through sudo. > > There won't be many privacy issues as most users won't have shell. > > The goal is to review a daily report for anything unexpected: stuff like: > > tar -xzf rootkit.tar.gz
For several servers I maintain we took the bash code and hacked it to log all commands, with usernames, to a log file. Yes, it's nosy. It's actually called 'nosy bash' by us. It's not been sent to the bash maintainers at all yet, but I could see if my coder can make a diff of it. It's come in quite handy at times. Quite handy. "I didn't do that!" "Well, yes, you did. At 1:43:00 you type 'rm -rf /' " "No I didn't" "Yes, see, it's in the logs." "Oh.. ummm..." <disable account> "Bu bye". I regualrly grep the log for keywords or sometimes tail it if I'm suspicious of someone. But for the most part, I don't ogle it constantly. Who has time for that? I'm also running grsec patches as well. Grsec didn't do the nosy bash like I wanted, so I'm keepign the nosy bash. j -- ================================================== + It's simply not | John Keimel + + RFC1149 compliant! | [EMAIL PROTECTED] + + | http://www.keimel.com + ==================================================