Re: command logging

[john@keimel.com (John Keimel)]

On Tue, Oct 28, 2003 at 10:56:53PM -0500, Dan MacNeil wrote:
> 
> For a box that will have limited shell access, I'm looking for something
> that will log all commands. The sudo log is nice but not everything is run
> through sudo.
> 
> There won't be many privacy issues as most users won't have shell.
> 
> The goal is to review a daily report for anything unexpected: stuff like:
> 
> tar -xzf rootkit.tar.gz

For several servers I maintain we took the bash code and hacked it to
log all commands, with usernames, to a log file. Yes, it's nosy. It's
actually called 'nosy bash' by us. It's not been sent to the bash
maintainers at all yet, but I could see if my coder can make a diff of
it. 

It's come in quite handy at times. Quite handy.

"I didn't do that!"
"Well, yes, you did. At 1:43:00 you type 'rm -rf /' "
"No I didn't"
"Yes, see, it's in the logs." 
"Oh.. ummm..."
<disable account>
"Bu bye".

I regualrly grep the log for keywords or sometimes tail it if I'm
suspicious of someone. But for the most part, I don't ogle it
constantly. Who has time for that? 

I'm also running grsec patches as well. Grsec didn't do the nosy bash
like I wanted, so I'm keepign the nosy bash. 

j

-- 

==================================================
+ It's simply not       | John Keimel            +
+ RFC1149 compliant!    | john@keimel.com        +
+                       | http://www.keimel.com  +
==================================================