LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-10-2009, 10:18 AM   #16
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,353
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541

Quote:
Originally Posted by rfelsburg View Post
Have you looked into psacct, sar, and sa for command history? This has proven many times to be useful to me when tracing back user involvement, and user security snafus.
If you can find, at a certain date and time, the user who executed a command, the exact command that was run including arguments plus output or any "evidence" of said command (say an unprivileged user running 'fdisk /dev/sda; d; 1; n; p; w; q') using only psacct, sar, and sa please show.
 
Old 08-10-2009, 10:42 AM   #17
rfelsburg
Member
 
Registered: Nov 2008
Posts: 52

Rep: Reputation: 18
An fair question, no, sa and psacct do not give the arguments passed. sa will give the user that ran the command, but is used for more summary information of commands, lastcomm is a more useful command, which I forgot to mention, it gives date, user, termination status etc. However you are correct that either will give you the arguments passed.

sa --print-users
-> this would give you all commands run, cpu time for each, and the user that ran them.

lastcomm --user $USERNAME
-> this would give you all commands run by a certain user, and the time at which they were run, sans the arguments passed.

lastcomm $COMMAND
-> this would give you all commands run that match $COMMAND


For catching arguments, snoopy is a good tool, used in conjunction with psacct commands, and sudo audit files/logging you can catch quite a bit of information for process/user command auditing
 
Old 08-10-2009, 10:58 AM   #18
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,353
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541
Quote:
Originally Posted by rfelsburg View Post
An fair question, no, sa and psacct do not give the arguments passed. sa will give the user that ran the command, but is used for more summary information of commands, lastcomm is a more useful command, which I forgot to mention, it gives date, user, termination status etc. However you are correct that either will give you the arguments passed. (..) For catching arguments, snoopy is a good tool, used in conjunction with psacct commands, and sudo audit files/logging you can catch quite a bit of information for process/user command auditing
If you reread this thread TTB you'll see that I already offered 'rootsh'. If you don't know about it I invite you to read the docs and take it for a spin. Corellating its logging with that of PAM plus Sudo plus Auditd definately gives you a way more detailed timeline and convincing audit trail.
 
Old 08-10-2009, 11:25 AM   #19
rfelsburg
Member
 
Registered: Nov 2008
Posts: 52

Rep: Reputation: 18
I did skim through the thread, and I saw both sudosh, and rootsh offered up. I was merely pointing out psacct since it is a default install on many systems and yet few people use it :-). I haven't used auditd, I'll have to look into it.

Thanks,

-Rob
 
Old 08-17-2009, 04:23 AM   #20
saifkhan123
Member
 
Registered: Apr 2009
Distribution: Red Hat/CentOS
Posts: 108

Rep: Reputation: 19
you should try "rootsh", its a very useful tool, google it
 
Old 08-31-2009, 05:00 PM   #21
gwiesenekker
LQ Newbie
 
Registered: Oct 2005
Posts: 14

Rep: Reputation: 10
Solved: log all commands

Failing to find a suitable utility I wrote the following C program to log all commands on Fedora Core. The command and it's arguments are copied into a command buffer and is written to syslog, prefixed by the user-id and the process-id.

Code:
int execve(const char *filename, char *const argv[], char *const envp[])
{
  int (*func)(const char *, char *const[], char *const[]);
  char path[PATH_MAX + PATH_MAX];
  FILE *fproc;
  int loginuid;
  char command[LINE_MAX + LINE_MAX];
  int icommand, iarg;
  size_t larg;

  openlog("gwaudit", LOG_PID, LOG_AUTHPRIV);

  sprintf(path, "/proc/%d/loginuid", getppid());
  loginuid = -1;
  if ((fproc = fopen(path, "r")) == NULL)
  {
    syslog(LOG_WARNING, "COULD NOT OPEN /proc FOR PROCESS %d", getppid());
  }
  else
  {
    if (fscanf(fproc, "%d", &loginuid) != 1)
    {
      syslog(LOG_WARNING, "COULD NOT READ loginuid FOR PROCESS %d", getppid());
      loginuid = -1;
    }
    if (fclose(fproc) == EOF)
      syslog(LOG_CRIT, "COULD NOT CLOSE FILE %s", path);
  }
  sprintf(command, "[%d:%d]", loginuid, getppid());
  icommand = strlen(command);
  for (iarg = 0; argv[iarg] != NULL; iarg++)
  {
    larg = strlen(argv[iarg]);
    if ((icommand + 1 + larg) >= LINE_MAX)
    {
      syslog(LOG_WARNING, "COMMAND BUFFER TOO SMALL FOR ARG %s", argv[iarg]);
      break;
    }
    command[icommand++] = ' ';
    strcpy(command + icommand, argv[iarg]);
    icommand += larg;
    //should not happen
    if (icommand >= LINE_MAX)
    {
      syslog(LOG_CRIT, "COMMAND BUFFER EXCEEDED INDEX=%d MAX=%d",
        icommand, LINE_MAX);
      break;
    }
  }
  
  syslog(LOG_INFO, "%s", command);

  *(void **) (&func) = dlsym(RTLD_NEXT, "execve");

  return((*func)(filename, argv, envp));
}
Suppose you save this code as gwaudit.c it should be compiled as follows:

gcc -D_GNU_SOURCE -shared -fPIC -O2 gwaudit.c -ogwaudit.so -ldl

This will create a shared library gwaudit.so. It should be copied to a suitable location (and if you have SELinux enabled to a location that SELinux allows). I am using /usr/lib/gwaudit/gwaudit.so

The library should be tested in a shell in which you execute:

LD_PRELOAD=/usr/lib/gwaudit/gwaudit.so
export LD_PRELOAD

and execute some commands. On Fedora Core the commands are written to /var/log/secure and are shown as:

Aug 31 23:49:12 hostname gwaudit[2704]: [500:2660] su -
Aug 31 23:49:12 hostname gwaudit[2705]: [500:2704] /sbin/unix_chkpwd root nullok
Aug 31 23:49:14 hostname gwaudit[2706]: [500:2704] /sbin/unix_chkpwd root nullok
Aug 31 23:49:14 hostname gwaudit[2707]: [500:2704] /sbin/unix_chkpwd root chkexpiry

If the shared library works the path should be added to /etc/ld.so.preload. Should you ever need to replace the library, make sure you uncomment the path in /etc/ld.so.preload before you do it, otherwise you need your rescue-CD.

Regards,
Gijsbert

Last edited by gwiesenekker; 09-01-2009 at 01:45 AM. Reason: Includes the user-id as well
 
Old 09-01-2009, 06:08 AM   #22
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,353
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541
Quote:
Originally Posted by gwiesenekker View Post
Failing to find a suitable utility
In what way does 'rootsh' not work for you? Could you define "suitable"?
 
Old 09-01-2009, 06:12 AM   #23
kdelover
Member
 
Registered: Aug 2009
Posts: 311

Rep: Reputation: 36
theres a command called script,which records what ever is typed in the shell to a .script file. do a man on script command.
 
Old 09-01-2009, 06:34 AM   #24
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,353
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541
Quote:
Originally Posted by kdelover View Post
theres a command called script,which records what ever is typed in the shell to a .script file. do a man on script command.
Aparently you haven't read anything in this thread or http://www.linuxquestions.org/questi...44#post3604944.
 
Old 09-01-2009, 06:55 AM   #25
kdelover
Member
 
Registered: Aug 2009
Posts: 311

Rep: Reputation: 36
^^^ did i say anything wrong
 
Old 09-01-2009, 08:34 AM   #26
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,353
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541
No, nothing wrong, it's just that it is an echo of what's been said before and given certain purposes just not as configurable, versatile or trustworthy as the other options given before.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Log user commands and output roulette Linux - Security 5 08-17-2009 11:30 PM
ssh record executed commands??? joangopan Linux - Newbie 4 05-13-2009 10:05 AM
How to Display Commands to be Executed with At lrt Linux - Software 1 04-11-2008 11:26 AM
at - warning: commands will be executed using /bin/s RGummi Linux - General 4 10-13-2006 12:34 PM
Commands executed at boot time Johnburrell Linux From Scratch 3 09-18-2005 01:56 PM


All times are GMT -5. The time now is 01:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration