Also... a down side of capturing STDOUT (like with the script command) has confidentiality issues with auditors. Capturing confidential STDOUT data for later review by staff (say...log review staff), then there is a greater risk of confidential (possibly classified data) being breached by a common vector.
Capturing STDIN and NOT STDOUT is an optimal control for accountability. HTH -Kevin On Tue, Dec 6, 2011 at 12:29 AM, Edward Frye <[email protected]> wrote: > In a previous life, I had a shell setup with something like > > exec script -c "/bin/bash --login" -f -q /logs/script.$USER.`date > +%y%m%dT%H%M%S`.log > > The "exec" exits the current shell when launching the "script" command, so > when the person exists > the "bash --login" they are logged out of the box. > > There is a problem with this and that is if someone stays online for a > long time and or they cat/tail > large files, their output log gets really big. But you can see everything > they see. > > How you could combine this with the syslog function, and see everything > they see, and seperately > what they type on the command line. > > > > On Mon, Dec 5, 2011 at 5:29 PM, Jon Schipp <[email protected]> wrote: > >> Just for fun: >> >> Thought of this for a quick solution but would/could be defeated easily. >> >> mkdir ~/.scripts >> echo 'script -q .scripts/$USER-`date +'%y-%m-%d_%M%S'`' >> ~/.profile or >> ~/.bash_profile and/or to ~./bashrc >> >> Script spawns a subshell so they could just issue 'exit' or 'logout' and >> get back to the parent shell. >> For that: alias exit='exit;exit' and alias logout='exit;exit' >> >> Probably have to do the same for ^D not sure how you would do that, you >> may be able to set two control sequences with stty. >> >> You could probably set traps on the subshell so they can't use various >> control characters. >> >> >> >> On Tue, Nov 22, 2011 at 6:26 PM, Jim Halfpenny >> <[email protected]>wrote: >> >>> You can also evade this by running commands from within another program >>> such as vi or by using the perl or python interpreter. Process accounting >>> will record the commands that were executed but not any of the arguments. >>> Hooking they exec system call might be a nice way to capture activity. Just >>> some thoughts. >>> >>> Cheers, >>> Jim >>> >>> >>> On 22 November 2011 22:20, Champ Clark III [Quadrant] < >>> [email protected]> wrote: >>> >>>> Pretty cool. However, with the built in bash syslog of history, >>>> there's no way to evade and not scripting required. Of course, If you >>>> aren't using bash, then it really doesn't matter. >>>> >>>> Another point, when I do it with the built in bash syslog of history, >>>> I make sure I don't have any other shell's installed. It's be trivial to >>>> evade if the user just runs ash/ksh/csh/tcsh :) >>>> >>>> On Nov 22, 2011, at 2:01 PM, Nils wrote: >>>> >>>> Thanks for your valuable feedback! >>>> I got an other neat approach off-list which I want to share with you: >>>> >>>> [Quote] >>>> The step we use to pass that PCI requirement for linux is to put the >>>> following inside of /etc/profile >>>> PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo $$ $USER >>>> "$(history 1)" | logger -p local2.info -t "shell_history"' >>>> logger being the transport to syslog/syslog-ng/rsyslog. >>>> There are some sly tricks to evade it, but this will pass their >>>> requirement. Just make sure the syslogging facility you use is sending and >>>> logging it on a separate machine. >>>> I prefer rsyslog. >>>> [\Quote] >>>> >>>> Cheers, >>>> Nils >>>> >>>> Am 21.11.2011 17:03, schrieb Nils: >>>> >>>> Hi guys, >>>> I´m looking into solutions to comply with PCI DSS requirement 10.2.2: >>>> (Logging: All actions taken by any individual with root or administrative >>>> privileges) especially on Linux systems. >>>> Therefore I´ve checked for ways to provide a shell which is logging all >>>> actions taken. >>>> I stumbled upon stuff like: >>>> mkfifo myfifo; logger -f myfifo & script -f myfifo >>>> rootsh >>>> sudoshell (ss) >>>> >>>> What are your experiences in this realm? >>>> Best solution would be something done with on-board means or a provided >>>> package of the Linux distribution, in this case Debian. >>>> >>>> >>>> Thanks! >>>> Nils >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>>> >>>> >>>> >>>> Champ Clark III >>>> (office) 904.253.7856 >>>> (mobile) 850.443.2440 >>>> (SOC) 800.538.9357 ext 101 >>>> [email protected] >>>> www.quadrantsec.com >>>> >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>> >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> >> -- >> - Jon >> -- >> ------------------------------------------------------------------ >> >> VMB: 812-682-0231 >> >> Dubois County Linux User Group - http://www.dclinux.org >> Southern Indiana Computer Klub - http://sickbits.networklabs.org >> Bloomington FOOLS - http://www.bloomingtonfools.org/ >> BloomingLabs - http://www.bloominglabs.org >> ISSA-Kentuckiana - http://issa-kentuckiana.org >> >> GPG Key ID: 810903CB >> Key fingerprint = 0069 ED69 EABB DF84 5983 AD3C 6C20 BEFD 8109 03CB >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
<<quadrant.png>>
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
