Re: commandlogging
I think you're thinking about BSD process accounting. It provides a way to tell the kernel to write process information to a file. I have never worked with it before, but now you have a bit more to go on :) regards, Izak Burger On Mon, 5 Mar 2001, Miguel ngel Var Giner wrote: Niklas Hglund wrote: Hi! I've heard that there is an kernelmodule that logs all commands executed on a machine. Anyone know where to find it? Or maybe someone has some other idea, how to log all commands exec...? -- //Regards, Niklas Hglund echo 'Win CE, Win ME, Win NT' | sed 's/.in//g;s/,//g;s/ //g' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] You can see all commands executed using 'lastcomm' (in the 'acct' package). -- Miguel ngel Var http://www.dlsi.ua.es/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Izak Burger ([EMAIL PROTECTED]) http://www.linuxuser.co.za/ Tel. +27 21 808 4863 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Every time Microsoft use the word "smart," look out for something dumb. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: commandlogging
On Mon, Mar 05, 2001 at 09:12:36AM -0500, Steve M. Robbins wrote: There is a package "snoopy" that uses a preloaded shared library to log each "exec()" call before performing it. If it is not yet in Debian, you can get a package from deb-src http://www.punknews.org/debian ./ If someone wanted to, they could run commands without them getting logged by snoopy. All you need to do is statically link the program that calls exec. It would probably be easy to put a printk in the kernel's execve() handler, though, and AFAIK that would get everything. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: commandlogging
from the secret journal of Izak Burger ([EMAIL PROTECTED]):
I think you're thinking about BSD process accounting. It provides a way
to tell the kernel to write process information to a file. I have never
worked with it before, but now you have a bit more to go on :)
almost. since bsd process accounting only comes into effect when a process
exits, a trojan could exec("/bin/ls") and escape being logged. (IIRC)
--
Jacob Kuntz
[EMAIL PROTECTED]
http://underworld.net/~jake
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
commandlogging
Hi! I've heard that there is an kernelmodule that logs all commands executed on a machine. Anyone know where to find it? Or maybe someone has some other idea, how to log all commands exec...? -- //Regards, Niklas Höglund echo 'Win CE, Win ME, Win NT' | sed 's/.in//g;s/,//g;s/ //g'
Re: commandlogging
Niklas Höglund wrote: Hi! I've heard that there is an kernelmodule that logs all commands executed on a machine. Anyone know where to find it? Or maybe someone has some other idea, how to log all commands exec...? -- //Regards, Niklas Höglund echo 'Win CE, Win ME, Win NT' | sed 's/.in//g;s/,//g;s/ //g' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] You can see all commands executed using 'lastcomm' (in the 'acct' package). -- Miguel Ángel Varó http://www.dlsi.ua.es/
Re: commandlogging
I think you're thinking about BSD process accounting. It provides a way to tell the kernel to write process information to a file. I have never worked with it before, but now you have a bit more to go on :) regards, Izak Burger On Mon, 5 Mar 2001, Miguel Ángel Varó Giner wrote: Niklas Höglund wrote: Hi! I've heard that there is an kernelmodule that logs all commands executed on a machine. Anyone know where to find it? Or maybe someone has some other idea, how to log all commands exec...? -- //Regards, Niklas Höglund echo 'Win CE, Win ME, Win NT' | sed 's/.in//g;s/,//g;s/ //g' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] You can see all commands executed using 'lastcomm' (in the 'acct' package). -- Miguel Ángel Varó http://www.dlsi.ua.es/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Izak Burger ([EMAIL PROTECTED]) http://www.linuxuser.co.za/ Tel. +27 21 808 4863 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Every time Microsoft use the word smart, look out for something dumb.
Re: commandlogging
Hi. Install acct-*.deb, then you can start accounting with # accton /var/log/pacct sa shows statistics pr day/month ... # sa -m | cut -c 1-10,37- kfh 560 5937.27re 1.56cp 0avio 350k user cmdclock-time cpu i/o mem Another one to try.. lastcom [user] [command] Accounting is not audit. You will see the command only (and statistics) no arguments. Kristian Høgh. Izak Burger wrote: I think you're thinking about BSD process accounting. It provides a way to tell the kernel to write process information to a file. I have never worked with it before, but now you have a bit more to go on :) regards, Izak Burger On Mon, 5 Mar 2001, Miguel Ángel Varó Giner wrote: Niklas Höglund wrote: Hi! I've heard that there is an kernelmodule that logs all commands executed on a machine. Anyone know where to find it? Or maybe someone has some other idea, how to log all commands exec...? -- //Regards, Niklas Höglund echo 'Win CE, Win ME, Win NT' | sed 's/.in//g;s/,//g;s/ //g' -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] You can see all commands executed using 'lastcomm' (in the 'acct' package). -- Miguel Ángel Varó http://www.dlsi.ua.es/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Izak Burger ([EMAIL PROTECTED]) http://www.linuxuser.co.za/ Tel. +27 21 808 4863 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Every time Microsoft use the word smart, look out for something dumb. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: commandlogging
On Mon, Mar 05, 2001 at 12:18:38PM +0200, Izak Burger wrote: I think you're thinking about BSD process accounting. It provides a way to tell the kernel to write process information to a file. I have never worked with it before, but now you have a bit more to go on :) accton(8), sa(8) et al, are in the debian 'acct' package. Greetings, Chris Niekel
Re: commandlogging
On Mon, Mar 05, 2001 at 10:25:21AM +0100, Niklas Höglund wrote: Hi! I've heard that there is an kernelmodule that logs all commands executed on a machine. Anyone know where to find it? Or maybe someone has some other idea, how to log all commands exec...? There is a package snoopy that uses a preloaded shared library to log each exec() call before performing it. If it is not yet in Debian, you can get a package from deb-src http://www.punknews.org/debian ./ -Steve
Re: commandlogging
On Mon, Mar 05, 2001 at 09:12:36AM -0500, Steve M. Robbins wrote: There is a package snoopy that uses a preloaded shared library to log each exec() call before performing it. If it is not yet in Debian, you can get a package from deb-src http://www.punknews.org/debian ./ If someone wanted to, they could run commands without them getting logged by snoopy. All you need to do is statically link the program that calls exec. It would probably be easy to put a printk in the kernel's execve() handler, though, and AFAIK that would get everything. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: commandlogging
from the secret journal of Izak Burger ([EMAIL PROTECTED]): I think you're thinking about BSD process accounting. It provides a way to tell the kernel to write process information to a file. I have never worked with it before, but now you have a bit more to go on :) almost. since bsd process accounting only comes into effect when a process exits, a trojan could exec(/bin/ls) and escape being logged. (IIRC) -- Jacob Kuntz [EMAIL PROTECTED] http://underworld.net/~jake
