Re: command logging
On Wed, Oct 29, 2003 at 05:49:49PM +0200, ? ? wrote: > ?? ??, 2003-10-29 ? 07:11, John Keimel ??: > What if the user compiles zsh (or there is something similar) and uses > it? Or finds a way that doesn't use bash to execute his commands? > > I've thought of doing something like this in the ssh server, but edned > implementing it in the ssh client, because of the requirements... Yes, they could, but some of the things I'm looking for are tarballs of other shells. The vast majority of the users are non-sophisticates when it comes to the shell and it's not common knowledge that I log every command. There's a warning on login that "we reserve the right to log..." to cover ourselves (i.e. covers the 'notify person of monitoring' requirement legally). It's not a foolproof system, but it's better than nothing. We also had a pcsh version as well. j -- == + It's simply not | John Keimel+ + RFC1149 compliant!| [EMAIL PROTECTED]+ + | http://www.keimel.com + == pgpVtP2XHQjCi.pgp Description: PGP signature
Re: command logging
On Wed, Oct 29, 2003 at 05:49:49PM +0200, ? ? wrote: > ?? ??, 2003-10-29 ? 07:11, John Keimel ??: > What if the user compiles zsh (or there is something similar) and uses > it? Or finds a way that doesn't use bash to execute his commands? > > I've thought of doing something like this in the ssh server, but edned > implementing it in the ssh client, because of the requirements... Yes, they could, but some of the things I'm looking for are tarballs of other shells. The vast majority of the users are non-sophisticates when it comes to the shell and it's not common knowledge that I log every command. There's a warning on login that "we reserve the right to log..." to cover ourselves (i.e. covers the 'notify person of monitoring' requirement legally). It's not a foolproof system, but it's better than nothing. We also had a pcsh version as well. j -- == + It's simply not | John Keimel+ + RFC1149 compliant!| [EMAIL PROTECTED]+ + | http://www.keimel.com + == pgp0.pgp Description: PGP signature
Re: command logging
На ср, 2003-10-29 в 07:11, John Keimel записа: > For several servers I maintain we took the bash code and hacked it to > log all commands, with usernames, to a log file. Yes, it's nosy. It's > actually called 'nosy bash' by us. It's not been sent to the bash > maintainers at all yet, but I could see if my coder can make a diff of > it. > > It's come in quite handy at times. Quite handy. > > "I didn't do that!" > "Well, yes, you did. At 1:43:00 you type 'rm -rf /' " > "No I didn't" > "Yes, see, it's in the logs." > "Oh.. ummm..." > > "Bu bye". > > I regualrly grep the log for keywords or sometimes tail it if I'm > suspicious of someone. But for the most part, I don't ogle it > constantly. Who has time for that? > > I'm also running grsec patches as well. Grsec didn't do the nosy bash > like I wanted, so I'm keepign the nosy bash. What if the user compiles zsh (or there is something similar) and uses it? Or finds a way that doesn't use bash to execute his commands? I've thought of doing something like this in the ssh server, but edned implementing it in the ssh client, because of the requirements... signature.asc Description: This is a digitally signed message part
Re: command logging
На ср, 2003-10-29 в 07:11, John Keimel записа: > For several servers I maintain we took the bash code and hacked it to > log all commands, with usernames, to a log file. Yes, it's nosy. It's > actually called 'nosy bash' by us. It's not been sent to the bash > maintainers at all yet, but I could see if my coder can make a diff of > it. > > It's come in quite handy at times. Quite handy. > > "I didn't do that!" > "Well, yes, you did. At 1:43:00 you type 'rm -rf /' " > "No I didn't" > "Yes, see, it's in the logs." > "Oh.. ummm..." > > "Bu bye". > > I regualrly grep the log for keywords or sometimes tail it if I'm > suspicious of someone. But for the most part, I don't ogle it > constantly. Who has time for that? > > I'm also running grsec patches as well. Grsec didn't do the nosy bash > like I wanted, so I'm keepign the nosy bash. What if the user compiles zsh (or there is something similar) and uses it? Or finds a way that doesn't use bash to execute his commands? I've thought of doing something like this in the ssh server, but edned implementing it in the ssh client, because of the requirements... signature.asc Description: This is a digitally signed message part
Re: command logging
I found snoopy to be very helpful (and packaged in Debian). Example log: Oct 29 10:57:05 onix snoopy[23669]: [arodrigo, uid:0 sid:15246]: ls -F -p -N --color=auto Oct 29 10:57:49 onix snoopy[23688]: [arodrigo, uid:0 sid:15246]: cat /var/log/control Oct 29 10:57:49 onix snoopy[23690]: [(null), uid:0 sid:15246]: grep arodrigo I am sorry I can't come up with a better output example :-) -- I don't think you trust in my self-righteous suicide ._System Of A Down_-_Chop Suey_.
RE: command logging
If your programmer gives you the diff could you please send it to me too? Thank you. Eddy Petrisor > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 29, 2003 7:29 AM > To: Dan MacNeil; debian-isp@lists.debian.org > Subject: Re: command logging > > On Tue, Oct 28, 2003 at 10:56:53PM -0500, Dan MacNeil wrote: > > > > For a box that will have limited shell access, I'm looking for something > > that will log all commands. The sudo log is nice but not everything is > run > > through sudo. > > > > There won't be many privacy issues as most users won't have shell. > > > > The goal is to review a daily report for anything unexpected: stuff > like: > > > > tar -xzf rootkit.tar.gz > > For several servers I maintain we took the bash code and hacked it to > log all commands, with usernames, to a log file. Yes, it's nosy. It's > actually called 'nosy bash' by us. It's not been sent to the bash > maintainers at all yet, but I could see if my coder can make a diff of > it. > > It's come in quite handy at times. Quite handy. > > "I didn't do that!" > "Well, yes, you did. At 1:43:00 you type 'rm -rf /' " > "No I didn't" > "Yes, see, it's in the logs." > "Oh.. ummm..." > > "Bu bye". > > I regualrly grep the log for keywords or sometimes tail it if I'm > suspicious of someone. But for the most part, I don't ogle it > constantly. Who has time for that? > > I'm also running grsec patches as well. Grsec didn't do the nosy bash > like I wanted, so I'm keepign the nosy bash. > > j > > -- > > == > + It's simply not | John Keimel+ > + RFC1149 compliant!| [EMAIL PROTECTED]+ > + | http://www.keimel.com + > == > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED]
Re: command logging
I found snoopy to be very helpful (and packaged in Debian). Example log: Oct 29 10:57:05 onix snoopy[23669]: [arodrigo, uid:0 sid:15246]: ls -F -p -N --color=auto Oct 29 10:57:49 onix snoopy[23688]: [arodrigo, uid:0 sid:15246]: cat /var/log/control Oct 29 10:57:49 onix snoopy[23690]: [(null), uid:0 sid:15246]: grep arodrigo I am sorry I can't come up with a better output example :-) -- I don't think you trust in my self-righteous suicide ._System Of A Down_-_Chop Suey_. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: command logging
If your programmer gives you the diff could you please send it to me too? Thank you. Eddy Petrisor > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 29, 2003 7:29 AM > To: Dan MacNeil; [EMAIL PROTECTED] > Subject: Re: command logging > > On Tue, Oct 28, 2003 at 10:56:53PM -0500, Dan MacNeil wrote: > > > > For a box that will have limited shell access, I'm looking for something > > that will log all commands. The sudo log is nice but not everything is > run > > through sudo. > > > > There won't be many privacy issues as most users won't have shell. > > > > The goal is to review a daily report for anything unexpected: stuff > like: > > > > tar -xzf rootkit.tar.gz > > For several servers I maintain we took the bash code and hacked it to > log all commands, with usernames, to a log file. Yes, it's nosy. It's > actually called 'nosy bash' by us. It's not been sent to the bash > maintainers at all yet, but I could see if my coder can make a diff of > it. > > It's come in quite handy at times. Quite handy. > > "I didn't do that!" > "Well, yes, you did. At 1:43:00 you type 'rm -rf /' " > "No I didn't" > "Yes, see, it's in the logs." > "Oh.. ummm..." > > "Bu bye". > > I regualrly grep the log for keywords or sometimes tail it if I'm > suspicious of someone. But for the most part, I don't ogle it > constantly. Who has time for that? > > I'm also running grsec patches as well. Grsec didn't do the nosy bash > like I wanted, so I'm keepign the nosy bash. > > j > > -- > > == > + It's simply not | John Keimel+ > + RFC1149 compliant!| [EMAIL PROTECTED]+ > + | http://www.keimel.com + > == > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: command logging
On Tue, Oct 28, 2003 at 10:56:53PM -0500, Dan MacNeil wrote: > > For a box that will have limited shell access, I'm looking for something > that will log all commands. The sudo log is nice but not everything is run > through sudo. > > There won't be many privacy issues as most users won't have shell. > > The goal is to review a daily report for anything unexpected: stuff like: > > tar -xzf rootkit.tar.gz For several servers I maintain we took the bash code and hacked it to log all commands, with usernames, to a log file. Yes, it's nosy. It's actually called 'nosy bash' by us. It's not been sent to the bash maintainers at all yet, but I could see if my coder can make a diff of it. It's come in quite handy at times. Quite handy. "I didn't do that!" "Well, yes, you did. At 1:43:00 you type 'rm -rf /' " "No I didn't" "Yes, see, it's in the logs." "Oh.. ummm..." "Bu bye". I regualrly grep the log for keywords or sometimes tail it if I'm suspicious of someone. But for the most part, I don't ogle it constantly. Who has time for that? I'm also running grsec patches as well. Grsec didn't do the nosy bash like I wanted, so I'm keepign the nosy bash. j -- == + It's simply not | John Keimel+ + RFC1149 compliant!| [EMAIL PROTECTED]+ + | http://www.keimel.com + ==
Re: command logging
On Tue, Oct 28, 2003 at 10:56:53PM -0500, Dan MacNeil wrote: > > For a box that will have limited shell access, I'm looking for something > that will log all commands. The sudo log is nice but not everything is run > through sudo. > > There won't be many privacy issues as most users won't have shell. > > The goal is to review a daily report for anything unexpected: stuff like: > > tar -xzf rootkit.tar.gz For several servers I maintain we took the bash code and hacked it to log all commands, with usernames, to a log file. Yes, it's nosy. It's actually called 'nosy bash' by us. It's not been sent to the bash maintainers at all yet, but I could see if my coder can make a diff of it. It's come in quite handy at times. Quite handy. "I didn't do that!" "Well, yes, you did. At 1:43:00 you type 'rm -rf /' " "No I didn't" "Yes, see, it's in the logs." "Oh.. ummm..." "Bu bye". I regualrly grep the log for keywords or sometimes tail it if I'm suspicious of someone. But for the most part, I don't ogle it constantly. Who has time for that? I'm also running grsec patches as well. Grsec didn't do the nosy bash like I wanted, so I'm keepign the nosy bash. j -- == + It's simply not | John Keimel+ + RFC1149 compliant!| [EMAIL PROTECTED]+ + | http://www.keimel.com + == -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: command logging
A couple ideas spring to mind. The first and easiest to implement is process accounting. It can be turned on within the kernel, BSD Process Accounting under General Setup. The drawback there is that you don't get command line arguments. Another option would be the logging that comes with something like the GrSecurity kernel patch. http://www.grsecurity.net/ If you're going to be allowing shell access you'll probably want something like grsec anyway, among other things. Hope that helps. Steve On Tue, Oct 28, 2003 at 10:56:53PM -0500, Dan MacNeil wrote: > > For a box that will have limited shell access, I'm looking for something > that will log all commands. The sudo log is nice but not everything is run > through sudo. > > There won't be many privacy issues as most users won't have shell. > > The goal is to review a daily report for anything unexpected: stuff like: > > tar -xzf rootkit.tar.gz
command logging
For a box that will have limited shell access, I'm looking for something that will log all commands. The sudo log is nice but not everything is run through sudo. There won't be many privacy issues as most users won't have shell. The goal is to review a daily report for anything unexpected: stuff like: tar -xzf rootkit.tar.gz
Re: command logging
A couple ideas spring to mind. The first and easiest to implement is process accounting. It can be turned on within the kernel, BSD Process Accounting under General Setup. The drawback there is that you don't get command line arguments. Another option would be the logging that comes with something like the GrSecurity kernel patch. http://www.grsecurity.net/ If you're going to be allowing shell access you'll probably want something like grsec anyway, among other things. Hope that helps. Steve On Tue, Oct 28, 2003 at 10:56:53PM -0500, Dan MacNeil wrote: > > For a box that will have limited shell access, I'm looking for something > that will log all commands. The sudo log is nice but not everything is run > through sudo. > > There won't be many privacy issues as most users won't have shell. > > The goal is to review a daily report for anything unexpected: stuff like: > > tar -xzf rootkit.tar.gz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
command logging
For a box that will have limited shell access, I'm looking for something that will log all commands. The sudo log is nice but not everything is run through sudo. There won't be many privacy issues as most users won't have shell. The goal is to review a daily report for anything unexpected: stuff like: tar -xzf rootkit.tar.gz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]