1 |
>I agree, the GRSec Kernel Auditing features work quite well and are just |
2 |
>informative enough to give you the info you're looking for... :) |
3 |
> |
4 |
> |
5 |
> |
6 |
>>On Thu, Jun 17, 2004 at 09:47:25AM -0700, Jason Qualkenbush wrote: |
7 |
>> |
8 |
>> |
9 |
>>>As far as logging commands once someone gets a root shell, I did find |
10 |
>>>some info (if anyone is interested). First, there was syscalltrack |
11 |
>>>(http://syscalltrack.sourceforge.net/index.html) which seems to work, |
12 |
>>>but looks to be more like a debugging tool. |
13 |
>>> |
14 |
>>>I did find a bash shell patch called bash-bofh that logs all commands to |
15 |
>>>syslog. Though, I the only pages I seem to find are hacker oriented |
16 |
>>>pages and the homepage seems to raise backdoor questions |
17 |
>>>(http://www.ccitt5.net). Still, the bash-bofh is the closest to what I |
18 |
>>>seek so far. |
19 |
>>> |
20 |
>>> |
21 |
>>These methods, as well as the sudo one mentioned earlier in this thread, |
22 |
>>are all unreliable. |
23 |
>> |
24 |
>>I assume most of you are already using the gentoo kernel or have |
25 |
>>grsecurity patched into whatever other kernel you're using on your |
26 |
>>servers; simply turn on exec and chdir logging. |
27 |
>> |
28 |
>>Example: |
29 |
>>Jun 17 15:27:46 [kernel] grsec: exec of [03:03:207557] (tail current ) by |
30 |
>>(bash:12670) UID(0) EUID(0), parent (bash:30029) UID(0) EUID(0) |
31 |
>> |
32 |
>> |
33 |
>> |
34 |
You may find this bash patch [bash-perassi.patch |
35 |
<http://honeynet.org/tools/>] useful from http://honeynet.org/tools/ |
36 |
Supports logging of keystrokes via UDP over the network. |
37 |
|
38 |
But what if he switch to other shell like sash? |
39 |
|
40 |
There is also a tool there called sebek |
41 |
http://honeynet.org/tools/sebek/faq.html that can |
42 |
capture all user activities. But i think this is an overkill for your |
43 |
intended purpose. |
44 |
|
45 |
|
46 |
<http://honeynet.org/tools/dcapture/bash-perassi.patch> |