Re: command logging
On Tue, Oct 28, 2003 at 10:56:53PM -0500, Dan MacNeil wrote:
>
> For a box that will have limited shell access, I'm looking for something
> that will log all commands. The sudo log is nice but not everything is run
> through sudo.
>
> There won't be many privacy issues as most users won't have shell.
>
> The goal is to review a daily report for anything unexpected: stuff like:
>
> tar -xzf rootkit.tar.gz
For several servers I maintain we took the bash code and hacked it to
log all commands, with usernames, to a log file. Yes, it's nosy. It's
actually called 'nosy bash' by us. It's not been sent to the bash
maintainers at all yet, but I could see if my coder can make a diff of
it.
It's come in quite handy at times. Quite handy.
"I didn't do that!"
"Well, yes, you did. At 1:43:00 you type 'rm -rf /' "
"No I didn't"
"Yes, see, it's in the logs."
"Oh.. ummm..."
<disable account>
"Bu bye".
I regualrly grep the log for keywords or sometimes tail it if I'm
suspicious of someone. But for the most part, I don't ogle it
constantly. Who has time for that?
I'm also running grsec patches as well. Grsec didn't do the nosy bash
like I wanted, so I'm keepign the nosy bash.
j
--
==================================================
+ It's simply not | John Keimel +
+ RFC1149 compliant! | john@keimel.com +
+ | http://www.keimel.com +
==================================================
Reply to: