LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-26-2010, 06:36 AM   #1
__raHulk
Member
 
Registered: Apr 2010
Location: Mumbai
Distribution: RHEL, Debian, Fedora, Ubuntu
Posts: 39
Blog Entries: 1

Rep: Reputation: 16
Have a log of *ALL* commands issued to the system.


Hi All,

Can we have a log of each and every command which has been issued to our system. Regardless of shell or terminal.

Let me clarify it a bit more: -
"history" command does it but if i write a shell script and run it; then history just shows the name of the script but not all the commands which it had fired. I want to have a complete log of all commands fired to the kernel. Is it even possible. Why? If not.

Thanks in advance.

RLTH
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 04-26-2010, 06:56 AM   #2
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 15,107

Rep: Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720
Quote:
Originally Posted by __raHulk View Post
Hi All,

Can we have a log of each and every command which has been issued to our system. Regardless of shell or terminal.

Let me clarify it a bit more: -
"history" command does it but if i write a shell script and run it; then history just shows the name of the script but not all the commands which it had fired. I want to have a complete log of all commands fired to the kernel. Is it even possible. Why? If not.

Thanks in advance.

RLTH
No, things don't work that way. Commands aren't "fired to the kernel", either. If you want each command in every shell script logged, then you need to write in explicit logging.

If you want to know why (which is what makes this sound like a homework question), use Google and look it up
 
Old 04-26-2010, 02:49 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,814
Blog Entries: 54

Rep: Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989
Quote:
Originally Posted by TB0ne View Post
If you want to know why (which is what makes this sound like a homework question), use Google and look it up
If you do not have evidence this is homework then please ask if it is, not assume it is and point to Google or LMGTFY.

//And as far as the topic is concerned I've posted quite a bit about system logging here in this forum. A quick search for posts containing the terms GRsecurity, SE Linux, Auditd, rootsh, PCI-DSS should yield some results.
 
Old 04-26-2010, 04:11 PM   #4
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 15,107

Rep: Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720Reputation: 2720
Quote:
Originally Posted by unSpawn View Post
If you do not have evidence this is homework then please ask if it is, not assume it is and point to Google or LMGTFY.

//And as far as the topic is concerned I've posted quite a bit about system logging here in this forum. A quick search for posts containing the terms GRsecurity, SE Linux, Auditd, rootsh, PCI-DSS should yield some results.
Quite true...no evidence of that, it was in my reading of the question.
 
Old 04-27-2010, 03:18 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,814
Blog Entries: 54

Rep: Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989
Quote:
Originally Posted by __raHulk View Post
"history" command does it but if i write a shell script and run it; then history just shows the name of the script but not all the commands which it had fired.
For example Bash see the 'history' command in 'man bash': 'history -a'?



Quote:
Originally Posted by __raHulk View Post
I want to have a complete log of all commands fired to the kernel. Is it even possible. Why? If not.
By default a GNU/Linux installation does not come with extensive logging enabled. It is possible to log about everything but it requires a lot of work (it's not like you install a single userland package and be done with it). So before we get into this please fill us in what the reason is for requiring this (in the meanwhile also please search the Linux Security forum for where I posted about system logging in posts containing the terms GRsecurity, SE Linux, Auditd, rootsh, PCI-DSS) and the systems specs (distribution and version, kernel version, whatever measures already in place to facilitate verbose logging) and please be as verbose as possible about things without being asked.
 
Old 04-28-2010, 02:16 AM   #6
__raHulk
Member
 
Registered: Apr 2010
Location: Mumbai
Distribution: RHEL, Debian, Fedora, Ubuntu
Posts: 39
Blog Entries: 1

Original Poster
Rep: Reputation: 16
I haven't expected such quick responses. Any way thanks for the kind interest.

I've been monitoring the security concerns in our servers running mainly RHEL 5.3 (kernel 2.6.18-128.el5) on Dell servers. This is the reason why I needed to have a log of each of the command..

*GRsecurity is not what I'm looking for and SELinux won't help in this regard.

*Process accounting is helpful but only to some extent.

*auditd is a good tool to keep track of file changes and access related stuff.

*rootsh is good but it logs only key strokes and we will get to know what has been typed the script as commands :: But what if the script has been brought from somewhere else and not edited into the system. What if commands have been copied from a notepad to the putty s/w. Moreover I'm not sure that it logs all the key strokes input from multiple terminals via remote ssh logins(anyone have any idea?).

What I want is to have the log of all the commands which are executed by the system's shell. Commands can be run : -
1. from local system's command prompt.
2. using any scripts.
3. using aliases.
4. via ssh login.

Not to consider telnet, rsh, ftp etc.

If extensive logging is the answer. Just give me some hint as how to move forward with that.
 
Old 04-28-2010, 11:46 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,814
Blog Entries: 54

Rep: Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989Reputation: 2989
Quote:
Originally Posted by __raHulk View Post
I haven't expected such quick responses.
You can usually expect responses within one to twentyfour hours.


Quote:
Originally Posted by __raHulk View Post
GRsecurity is not what I'm looking for and SELinux won't help in this regard.
Not to be pedantic but that's a conclusion, not a reason. Since we don't know what it's based on we can not agree with or counter it. Please be more verbose.


Quote:
Originally Posted by __raHulk View Post
what if the script has been brought from somewhere else and not edited into the system.
Then you only get the path and filename.


Quote:
Originally Posted by __raHulk View Post
What if commands have been copied from a notepad to the putty s/w.
As commands are entered at the CLI you get the commands in the log.


Quote:
Originally Posted by __raHulk View Post
Moreover I'm not sure that it logs all the key strokes input from multiple terminals via remote ssh logins(anyone have any idea?).
That is something you can easily test yourself: set up a local account, run it under rootsh, then log in from remote, open up screen then type away.


Quote:
Originally Posted by __raHulk View Post
What I want is to have the log of all the commands which are executed by the system's shell.
CLI, aliases and remote logins aren't a problem for Rootsh. I do not know of any OTS tool that will display a scripts contents as the script is run (as for example Bash' "-xv" switches would). If you have a problem with that then maybe you should turn your POV upside down and instead prohibit users from introducing and running foreign scripts. GRsecurity offers TPE (Trusted Path Execution) out of the box but you dismissed using it. TOMOYO (one of the other LSM users) offers what looks like TPE but if it suffices with path wildcards I don't know (yet). SE Linux doesn't offer TPE but at least the Fedora branch allows for sand-boxing accounts. Maybe you can take a cue from that when developing a policy.
 
3 members found this post helpful.
Old 05-03-2014, 02:04 AM   #8
wzis
LQ Newbie
 
Registered: Dec 2013
Posts: 11

Rep: Reputation: Disabled
If you can get dtrace work on your machine, then it can be done

Quote:
Originally Posted by __raHulk View Post
Hi All,

Can we have a log of each and every command which has been issued to our system. Regardless of shell or terminal.

RLTH
Just use syscall::exec:entry, syscall::exece:entry
 
Old 05-07-2014, 04:34 PM   #9
Lantzvillian
Member
 
Registered: Oct 2007
Location: BC, Canada
Distribution: Fedora, Debian
Posts: 210

Rep: Reputation: 41
Here is one thing that I did for a Honeypot project:

http://www.pacificsimplicity.ca/blog...mands-remotely
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Where is the log file for all commands that have been run? byronk Linux - General 3 04-06-2006 03:42 PM
Help needed to recover data from ext3 file system where mkfs was issued accidentally kapilsampath Linux - General 4 04-26-2005 08:52 AM
Log all commands used in a Session....how? vous Linux - Security 2 03-20-2005 06:32 AM
Commands to log Out of X within X, and back in Fear58 Linux - Newbie 1 12-06-2004 11:27 PM
File containing previously issued commands rridler Linux - Newbie 1 04-30-2004 08:38 PM


All times are GMT -5. The time now is 09:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration