Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-server

From: Joey Abaya Panoy <japanoy@×××××××××××.com>
To: gentoo-server@l.g.o
Subject: Re: [gentoo-server] Root commands > syslog
Date: Fri, 18 Jun 2004 07:13:57
Message-Id: 40D29A55.5090001@loyolaplans.com
In Reply to: Re: [gentoo-server] Root commands > syslog by Joey McCoy
1 >I agree, the GRSec Kernel Auditing features work quite well and are just
2 >informative enough to give you the info you're looking for... :)
3 >
4 >
5 >
6 >>On Thu, Jun 17, 2004 at 09:47:25AM -0700, Jason Qualkenbush wrote:
7 >>
8 >>
9 >>>As far as logging commands once someone gets a root shell, I did find
10 >>>some info (if anyone is interested). First, there was syscalltrack
11 >>>(http://syscalltrack.sourceforge.net/index.html) which seems to work,
12 >>>but looks to be more like a debugging tool.
13 >>>
14 >>>I did find a bash shell patch called bash-bofh that logs all commands to
15 >>>syslog. Though, I the only pages I seem to find are hacker oriented
16 >>>pages and the homepage seems to raise backdoor questions
17 >>>(http://www.ccitt5.net). Still, the bash-bofh is the closest to what I
18 >>>seek so far.
19 >>>
20 >>>
21 >>These methods, as well as the sudo one mentioned earlier in this thread,
22 >>are all unreliable.
23 >>
24 >>I assume most of you are already using the gentoo kernel or have
25 >>grsecurity patched into whatever other kernel you're using on your
26 >>servers; simply turn on exec and chdir logging.
27 >>
28 >>Example:
29 >>Jun 17 15:27:46 [kernel] grsec: exec of [03:03:207557] (tail current ) by
30 >>(bash:12670) UID(0) EUID(0), parent (bash:30029) UID(0) EUID(0)
31 >>
32 >>
33 >>
34 You may find this bash patch [bash-perassi.patch
35 <http://honeynet.org/tools/>] useful from http://honeynet.org/tools/
36 Supports logging of keystrokes via UDP over the network.
37
38 But what if he switch to other shell like sash?
39
40 There is also a tool there called sebek
41 http://honeynet.org/tools/sebek/faq.html that can
42 capture all user activities. But i think this is an overkill for your
43 intended purpose.
44
45
46 <http://honeynet.org/tools/dcapture/bash-perassi.patch>
Report Message
Find on MARC Find on Google Groups