1 |
As far as logging commands once someone gets a root shell, I did find |
2 |
some info (if anyone is interested). First, there was syscalltrack |
3 |
(http://syscalltrack.sourceforge.net/index.html) which seems to work, |
4 |
but looks to be more like a debugging tool. |
5 |
|
6 |
I did find a bash shell patch called bash-bofh that logs all commands to |
7 |
syslog. Though, I the only pages I seem to find are hacker oriented |
8 |
pages and the homepage seems to raise backdoor questions |
9 |
(http://www.ccitt5.net). Still, the bash-bofh is the closest to what I |
10 |
seek so far. |
11 |
|
12 |
Anyone using a modified shell like this? |
13 |
|
14 |
-Jason |
15 |
|
16 |
|
17 |
-----Original Message----- |
18 |
From: Jason Qualkenbush |
19 |
Sent: Thursday, June 17, 2004 11:53 AM |
20 |
To: gentoo-server@l.g.o |
21 |
Subject: RE: [gentoo-server] Root commands > syslog |
22 |
|
23 |
|
24 |
|
25 |
Ahhh! Got it. I should stop using "/bin/su -" and force sudo use |
26 |
instead. It sounds more secure, gets what I want, and sounds like best |
27 |
practice anyway. Thanks. |
28 |
|
29 |
-Jason |
30 |
|
31 |
-----Original Message----- |
32 |
From: Dan Noe [mailto:dpn@×××××××××.net] |
33 |
Sent: Thursday, June 17, 2004 11:47 AM |
34 |
To: gentoo-server@l.g.o |
35 |
Subject: Re: [gentoo-server] Root commands > syslog |
36 |
|
37 |
|
38 |
On Thu, Jun 17, 2004 at 08:44:25AM -0700, Jason Qualkenbush wrote: |
39 |
> Is there a way to get commands entered by root or even sudo commands |
40 |
> into syslog? This way I can use syslog-ng to create a central log |
41 |
> file for review or even use swatch to alert on suspicious commands. |
42 |
> If the commands end up in the history file, there should be a way to |
43 |
> get them into syslog, right? Or is this re-inventing the wheel? |
44 |
|
45 |
Currently sudo commands are logged, like so: |
46 |
|
47 |
Jun 17 11:45:31 threepwood sudo: dpn : TTY=pts/1 ; PWD=/home/dpn ; |
48 |
USER=roo |
49 |
t ; COMMAND=/usr/bin/less /var/log/messages |
50 |
|
51 |
Remember, however, that uses with certain priveledges can execute sudo |
52 |
-s or sudo <shell> and get a shell. In this case, sudo will log |
53 |
starting the shell but will not log any commands typed into it. |
54 |
|
55 |
Dan |
56 |
|
57 |
-- |
58 |
/--------------- - - - - - - |
59 |
| Dan Noe, freelance hacker |
60 |
| http://isomerica.net/ |