LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-12-2013, 08:44 AM   #1
a.abdulna
Member
 
Registered: Feb 2013
Location: Bangalore
Distribution: Rhel
Posts: 86

Rep: Reputation: Disabled
Smile The lastcomm command not showing full command.


Hi Team,

I have psacct monitoring tool in rhel 5 its working fine, whenever am trying lastcomm command its not showing full command but i want to get full commands, anyone can help me ....


Regards
Abdul

Last edited by a.abdulna; 02-12-2013 at 08:51 AM.
 
Old 02-12-2013, 09:35 AM   #3
a.abdulna
Member
 
Registered: Feb 2013
Location: Bangalore
Distribution: Rhel
Posts: 86

Original Poster
Rep: Reputation: Disabled
Thanks for your replay..

am not able to find solution, i want to know all the full commands.

its showing like
fdisk root pts/4 0.00 secs Tue Feb 12 17:44

not showing like " fdisk -l, dmidecode |more, free -m " seconds stuff is not coming ..

thanks
Abdul
 
Old 02-12-2013, 10:01 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Simply put: do not rely on psacct tools like lastcomm to provide you that information.
You have to use other tools.
The links in the post I pointed you to explain which tools are available and what information they log.
After you have read each of the threads in that post feel free to ask specific questions.
 
Old 02-12-2013, 08:44 PM   #5
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Pacct cannot record the entire command line.... that could be something like 200KB+ of data(think about an "echo *" in a directory with 5,000 files...).

What exactly are you trying to do?
 
Old 02-13-2013, 01:34 AM   #6
a.abdulna
Member
 
Registered: Feb 2013
Location: Bangalore
Distribution: Rhel
Posts: 86

Original Poster
Rep: Reputation: Disabled
I want to record entire command line, pls suggest me any tool..
 
Old 02-13-2013, 04:36 AM   #7
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Try the script utility.

Nothing works in all cases - it cannot record what isn't presented, as in the case of running shell scripts.

Why do you need the entire command line?
 
Old 02-13-2013, 05:01 AM   #8
a.abdulna
Member
 
Registered: Feb 2013
Location: Bangalore
Distribution: Rhel
Posts: 86

Original Poster
Rep: Reputation: Disabled
Dear Pollard,

Our company has recently a spate of attack at one of our customer server that have resulted in application corrupted and some important database deleted. I suspect somebody tried something, i want to know the commands that done by individual users. So please suggest me better way to monitor RHEL servers.

Thanks
Abdul
 
Old 02-13-2013, 06:01 AM   #9
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
The only way to get what you are asking for is to replace the exec system call... but event that doesn't record everything - the damage may be done by using a perfectly valid program to do something that isn't authorized.

And expect so much output that your recording system fills up.

To "monitor RHEL servers" calls for actually monitoring them - apply SELinux rules to the files you want to protect, add auditing to record file accesses, deletions, process accounting, and actually review the logs.

When something goes wrong you will be able to find the login, and when it was done. Check out some of the inotify utilities (https://github.com/rvoicilas/inotify-tools/wiki) to track specific files (doing this reduces the log rate, and can identify when something happened, though not who - that is up to different tools. But the library provided should be able to give hooks that can be used to extend the base information).

Does it work in all cases? No. It takes a lot of time to go through the logs, and it takes a lot of storage to save the logs. One system I worked on was shown to generate 17MB of logs every second (and that one only had 8 processors).

You also run the risk of violating various laws regarding either privacy or even secrecy... some of the information revealed by the logs may contain classified information (either military, government, or just company trade secrets) - so have a lawyer/security personnel/responsible manager that can authorize such activity (in my one case, my manager wasn't even authorized to know what I was recording - I was taking direction from an external security unit).

The problem with recording command lines is that it may record only a single command, with no parameters.

But that command may have the entire attack built in - with no additional commands involved. A simple "a.out" executable does the work. Any parameters required may be taken from the environment variables, and setting those doesn't require an exec. So recording an exec CAN include the environment... but expect each record to contain up to around 100K+ for the environment, and 100K+ for possible parameters... (see http://www.kernel.org/doc/man-pages/.../execve.2.html for memory requirements for parameters and environment).

For most auditing/investigations, it is sufficient to have the pacct entries (the command name, and some of the parameters). Correlating the timing of the pacct records + knowing when the files are deleted (auditing/inotify tools) is enough. Sometimes it is desirable to record user sessions - even though such sessions cannot record internal activity (this can be done by a modified "tee" utility and modifying the login - usually sshd - to start the modified tee utility with the users shell as the parameter instead of just starting the shell, some of these tools have already been referred to. The problem with these tools is that you have to be careful to NOT record user passwords...).
 
Old 02-13-2013, 08:10 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
First things first.

Quote:
Originally Posted by a.abdulna View Post
Our company has recently a spate of attack at one of our customer server that have resulted in application corrupted and some important database deleted. I suspect somebody tried something, i want to know the commands that done by individual users.
If a server was attacked and compromised then that server should be isolated and the incident should be investigated immediately. This investigation should be prioritized and it should include adjacent machines. If you do not have the knowledge to investigate then ask somebody who has. Restoring the machine from a known good backup may mitigate the situation but it would also mean not learning anything from that incident and not being able to apply measures based on what's learned.
 
Old 02-13-2013, 09:51 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Secondly, like security in general, adding a comprehensive audit trail should not be regarded as something you bolt onto an existing setup. That doesn't mean it can't be done and depending on requirements it doesn't necessarily require something as invasive as replacing the exec system call. The first task should be to verify system integrity is intact. Because without a proven sound basis anything can (and should) be questioned. Next the machine should be brought up to date if it isn't. Then it must be hardened because limiting exposure limits threat vectors. Then you are ready to implement your audit trail on top of that. When you design your audit trail you must not stare blindly at details but first apply a broader view and take into account the purpose of the server, its location in the network and (possibilities of) existing infrastructure.


Posting generic advice is OK but it allows for assumptions, opinions and omissions and is therefore not necessarily efficient or suitable or correct in your particular situation. You already indicated the machine is in a DC behind a firewall (please don't remove information from posts unless it reveals identifying information) so I suggest you start by listing basic information:
- RHEL release and update number,
- if all software is up to date,
- if system integrity is confirmed to be intact,
- what hardening, if any, was done before,
- if there have been any recorded incidents already,
- which ports are open in the DC firewall and from where traffic is allowed,
- the purpose of the machine,
- what networked services the machine provides,
- what services the machine firewall allows and from where.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Dynebolic showing only command prompt rajanicinesoft Linux - Newbie 1 03-18-2010 07:54 PM
[SOLVED] command line not showing path wisdom Linux - Desktop 4 11-06-2009 03:00 PM
showing only directorys from the command line djgerbavore Linux - Newbie 7 07-13-2005 09:34 PM
disk not showing up in 'df' command jjordan Mandriva 8 09-25-2004 10:29 PM
what is the command prompt for showing device? yenonn Linux - General 9 02-21-2003 03:01 AM


All times are GMT -5. The time now is 04:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration