LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-04-2007, 04:50 PM   #1
humbletech99
Member
 
Registered: Jun 2005
Posts: 374

Rep: Reputation: 30
Auditing - Logging all commands and arguments


I want to increase my security and auditing on some systems by adding full logging of every command and all arguments to every command that is typed on any shell used on the system.

I have used sa before this only logs the command program, not the arguments which makes all the difference. Also, I'm not sure it will catch shell built-ins or people truncating files like so "> filename".

I have used snoopy before which I liked and seemed to work quite well although it does not seem to be supported any more since 2004 looking at the sourceforge site. Since this uses execve I'm not sure this will catch shell built-ins either in fact, and nor am I sure about packages/maintainability of doing this, but then considering it has not been updated in 3.5 years I doubt updates will be a problem... (of course this raises issues about security or bugs discovered in it if not maintained).

I've also found sudosh on google but this seems to be an imperfect approach since it requires giving people an alternate shell through sudo. What happens when logging all commands but one command is just "bash" and everything inside that command is a black box?

Ideally I'd like whatever auditing solution I implement to be shell neutral.

Sudo itself if completely inadequate because people "sudo su" and it would be difficult if not impossible to grant people access to only specific commands.


So what do you use for complete command auditing/logging?
 
Old 12-04-2007, 06:25 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,017
Blog Entries: 54

Rep: Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764
Quote:
Originally Posted by humbletech99 View Post
I want to increase my security and auditing on some systems by adding full logging of every command and all arguments to every command that is typed on any shell used on the system.
I can understand the auditing part (since that falls apart into preventive stuff, making sure all is "sane", like checking with tools like Tiger, L(N?)SAT, env_audit, etc, etc and the post-op stuff like file, threshold, attribute and logchecking, followed by adjusting configuration accordingly) but security I can't fully place though because logging takes place during (or more exactly *after*) the event. If you don't want certain things to happen I'd suggest you start with refining restrictions and then only grant additional (temporary?) rights when necessary: restrict now, suppress later.


Quote:
Originally Posted by humbletech99 View Post
I've also found sudosh on google but this seems to be an imperfect approach since it requires giving people an alternate shell through sudo.
Quote:
Originally Posted by man rootsh
Start a shell with logging of input/output. (..) You can run rootsh as a standalone application if you only want to log your own user’s session.

Quote:
Originally Posted by humbletech99 View Post
What happens when logging all commands but one command is just "bash" and everything inside that command is a black box?
Code:
rootsh session opened for unspawn as unspawn on /dev/pts/11 at Wed Dec  4 10:11:15 2007
^[]0;unspawn@hostname:~^G[unspawn@hostname unspawn]$ echo I am $$ and now I open a subshell^M
I am 15870 and now I open a subshell^M
^[]0;unspawn@hostname:~^G[unspawn@hostname unspawn]$ bash^M
^[]0;unspawn@hostname:~^G[unspawn@hostname unspawn]$ echo I am $$ and now I open a csh subshell^M
I am 15906 and now I open a csh subshell^M
^[]0;unspawn@hostname:~^G[unspawn@hostname unspawn]$ csh^M
[unspawn@hostname ~]$ exit^M^M
exit^M
^[]0;unspawn@hostname:~^G[unspawn@hostname unspawn]$ exit^M
exit^M
^[]0;unspawn@hostname:~^G[unspawn@hostname unspawn]$ exit^M
exit^M

*** rootsh session ended by user^M
rootsh session closed for unspawn on /dev/pts/11 at Wed Dec  4 10:11:57 2007

Quote:
Originally Posted by humbletech99 View Post
Ideally I'd like whatever auditing solution I implement to be shell neutral.
I'd combine rootsh logging to (remote?) syslog with the GRSecurity patch. It's got all sorts of logging options even without using RSBAC. Turn them all on for a few boxen a few days and you've got some hefty log parsing ahead ;-p
 
Old 12-04-2007, 06:53 PM   #3
humbletech99
Member
 
Registered: Jun 2005
Posts: 374

Original Poster
Rep: Reputation: 30
Thanks for that. Rootsh looks promising too.

Question, can rootsh be invoked automatically for every shell session? Would this not require making it the default shell for all user account and would that in itself not be bypassable by users simply changing their default shell back to /bin/bash or similar and then logging out and back in?

I'd rather not give users the choice about being logged or even make it obvious in any way. This is one of the things I like about snoopy, it is very inconspicuous.

I 'll check it out.
 
Old 12-05-2007, 04:23 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,017
Blog Entries: 54

Rep: Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764
Quote:
Originally Posted by humbletech99 View Post
Question, can rootsh be invoked automatically for every shell session?
Why don't you try it yourself? One of the things I like about GNU/Linux is it gives you all the freedom to experiment.


Quote:
Originally Posted by humbletech99 View Post
would that in itself not be bypassable by users simply changing their default shell back to /bin/bash or similar and then logging out and back in?
Depends on if your security posture restricts users from using 'chsh'?
 
Old 12-06-2007, 12:05 AM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,251

Rep: Reputation: 2026Reputation: 2026Reputation: 2026Reputation: 2026Reputation: 2026Reputation: 2026Reputation: 2026Reputation: 2026Reputation: 2026Reputation: 2026Reputation: 2026
Note that people can only sudo su if you allow that in sudoers file. Normally you wouldn't allow that, just the cmds they need.
 
Old 12-06-2007, 08:08 AM   #6
humbletech99
Member
 
Registered: Jun 2005
Posts: 374

Original Poster
Rep: Reputation: 30
unSpawn: ok I will but it's not packaged and I hate dirtying up my systems. Also, I didn't have access to my systems at that time and not on linux.


chrism01: Well our devs all "sudo su". It would be difficult if not impossible to have to explicitly grant them perms to every single command in sudoers.

Hence I need the logging of everything to track down who did what when that broken something.

unSpawn: How do you suggest I prevent users from chsh? Remember that the users can "sudo su". At the very least they could just edit /etc/passwd.

Last edited by humbletech99; 12-06-2007 at 08:09 AM.
 
Old 12-06-2007, 12:31 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,017
Blog Entries: 54

Rep: Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764
Quote:
Originally Posted by humbletech99 View Post
it's not packaged
What kind of packaging?


Quote:
Originally Posted by humbletech99 View Post
How do you suggest I prevent users from chsh?
Look at the permission on the binary and how access to it is governed.


Quote:
Originally Posted by humbletech99 View Post
Remember that the users can "sudo su". At the very least they could just edit /etc/passwd.
Make your filesystem integrity checker cover /etc. And iIf you allow them an alias like "sudo rootsh" (and make sure you enabled the binary to log to syslog and file) that should help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Logging arguments with laus michael_w Linux - Security 0 09-06-2006 10:47 AM
What is Auditing support? Beezer Linux - Newbie 2 08-03-2005 08:33 PM
Auditing Services dollaz Linux - General 1 02-17-2005 03:31 PM
Network Auditing.... againstms Linux - Software 0 11-22-2004 04:17 AM
commands logging questions noelcantona Linux - Security 5 11-17-2003 10:09 AM


All times are GMT -5. The time now is 12:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration