Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-server

From: Jason Qualkenbush <Jason.Qualkenbush@××××××××××.com>
To: gentoo-server@l.g.o
Subject: RE: [gentoo-server] Root commands > syslog
Date: Thu, 17 Jun 2004 16:47:33
Message-Id: 77f88cba1b410dbd2f6a80cbbd1f216640d1cb1d@watchguard.com
1 As far as logging commands once someone gets a root shell, I did find
2 some info (if anyone is interested). First, there was syscalltrack
3 (http://syscalltrack.sourceforge.net/index.html) which seems to work,
4 but looks to be more like a debugging tool.
5
6 I did find a bash shell patch called bash-bofh that logs all commands to
7 syslog. Though, I the only pages I seem to find are hacker oriented
8 pages and the homepage seems to raise backdoor questions
9 (http://www.ccitt5.net). Still, the bash-bofh is the closest to what I
10 seek so far.
11
12 Anyone using a modified shell like this?
13
14 -Jason
15
16
17 -----Original Message-----
18 From: Jason Qualkenbush
19 Sent: Thursday, June 17, 2004 11:53 AM
20 To: gentoo-server@l.g.o
21 Subject: RE: [gentoo-server] Root commands > syslog
22
23
24
25 Ahhh! Got it. I should stop using "/bin/su -" and force sudo use
26 instead. It sounds more secure, gets what I want, and sounds like best
27 practice anyway. Thanks.
28
29 -Jason
30
31 -----Original Message-----
32 From: Dan Noe [mailto:dpn@×××××××××.net]
33 Sent: Thursday, June 17, 2004 11:47 AM
34 To: gentoo-server@l.g.o
35 Subject: Re: [gentoo-server] Root commands > syslog
36
37
38 On Thu, Jun 17, 2004 at 08:44:25AM -0700, Jason Qualkenbush wrote:
39 > Is there a way to get commands entered by root or even sudo commands
40 > into syslog? This way I can use syslog-ng to create a central log
41 > file for review or even use swatch to alert on suspicious commands.
42 > If the commands end up in the history file, there should be a way to
43 > get them into syslog, right? Or is this re-inventing the wheel?
44
45 Currently sudo commands are logged, like so:
46
47 Jun 17 11:45:31 threepwood sudo: dpn : TTY=pts/1 ; PWD=/home/dpn ;
48 USER=roo
49 t ; COMMAND=/usr/bin/less /var/log/messages
50
51 Remember, however, that uses with certain priveledges can execute sudo
52 -s or sudo <shell> and get a shell. In this case, sudo will log
53 starting the shell but will not log any commands typed into it.
54
55 Dan
56
57 --
58 /--------------- - - - - - -
59 | Dan Noe, freelance hacker
60 | http://isomerica.net/

Replies

Subject Author
Re: [gentoo-server] Root commands > syslog "Rev. Jeffrey Paul" <sneak@××××××××.net>
RE: [gentoo-server] Root commands > syslog Kashani <kashani-list@××××××××.net>
Report Message
Find on MARC Find on Google Groups