RE: command logging
If your programmer gives you the diff could you please send it to me too?
Thank you.
Eddy Petrisor
> -----Original Message-----
> From: john@keimel.com [mailto:john@keimel.com]
> Sent: Wednesday, October 29, 2003 7:29 AM
> To: Dan MacNeil; debian-isp@lists.debian.org
> Subject: Re: command logging
>
> On Tue, Oct 28, 2003 at 10:56:53PM -0500, Dan MacNeil wrote:
> >
> > For a box that will have limited shell access, I'm looking for something
> > that will log all commands. The sudo log is nice but not everything is
> run
> > through sudo.
> >
> > There won't be many privacy issues as most users won't have shell.
> >
> > The goal is to review a daily report for anything unexpected: stuff
> like:
> >
> > tar -xzf rootkit.tar.gz
>
> For several servers I maintain we took the bash code and hacked it to
> log all commands, with usernames, to a log file. Yes, it's nosy. It's
> actually called 'nosy bash' by us. It's not been sent to the bash
> maintainers at all yet, but I could see if my coder can make a diff of
> it.
>
> It's come in quite handy at times. Quite handy.
>
> "I didn't do that!"
> "Well, yes, you did. At 1:43:00 you type 'rm -rf /' "
> "No I didn't"
> "Yes, see, it's in the logs."
> "Oh.. ummm..."
> <disable account>
> "Bu bye".
>
> I regualrly grep the log for keywords or sometimes tail it if I'm
> suspicious of someone. But for the most part, I don't ogle it
> constantly. Who has time for that?
>
> I'm also running grsec patches as well. Grsec didn't do the nosy bash
> like I wanted, so I'm keepign the nosy bash.
>
> j
>
> --
>
> ==================================================
> + It's simply not | John Keimel +
> + RFC1149 compliant! | john@keimel.com +
> + | http://www.keimel.com +
> ==================================================
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
Reply to: