LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices



Reply
 
Search this Thread
Old 08-23-2011, 04:23 AM   #1
Paul.Preston
LQ Newbie
 
Registered: Aug 2011
Location: London, UK
Distribution: Red Hat, CentOS
Posts: 6

Rep: Reputation: Disabled
RHEL 6.1: bash logging to rsyslogd


Hello,

Over the last few days I have tried to find an effective solution for logging everything that is being typed under bash.

I have seen simple solutions where a trap is added to a /etc/profile file. However, it's not perfect for a few reasons:
- it can be easily changed/disabled by user
- last command is not logged
- there are some small glitches like when you hit enter it will log the last command, when you login log file is being filled with over 10 lines with empty commands.


Auditing has an important subject for many years... I would expect an operating system which has "Enterprise" in name to have some solution for this issue. I have tried researching available options for RHEL 6, but I couldn't find anything resonable.

I would like to get some opinions on subject. Perhaps there is a "redhat" way of implementing this functionality? If not, perhaps you can share your view on how it can be done?

Best Regards,
 
Old 08-23-2011, 05:39 AM   #2
kostya
Member
 
Registered: Mar 2010
Location: Moscow, Russia
Distribution: Ubuntu Studio, antix(mepis), Fedora, FreeBSD
Posts: 172
Blog Entries: 5

Rep: Reputation: 17
There is history file for bash so that you can recall "n" last commands issued through bash by a given user.
"n" is configured though .bashrc, I think. In bash you type `history` and it will give you the numbered list of past commands.

Don't know anything more about it, sorry.
 
Old 08-23-2011, 05:53 AM   #3
Paul.Preston
LQ Newbie
 
Registered: Aug 2011
Location: London, UK
Distribution: Red Hat, CentOS
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by kostya View Post
There is history file for bash so that you can recall "n" last commands issued through bash by a given user.
"n" is configured though .bashrc, I think. In bash you type `history` and it will give you the numbered list of past commands.

Don't know anything more about it, sorry.
This is a reactive solution plus it doesnt actually feed data to rsyslogd.

I'm looking for something more proactive. Effectively I'm looking for a way to pipe commands entered in bash to logger.

It has to be enforced on all users and it has to use rsyslogd

Kind Regards,
 
Old 08-23-2011, 08:25 AM   #4
kostya
Member
 
Registered: Mar 2010
Location: Moscow, Russia
Distribution: Ubuntu Studio, antix(mepis), Fedora, FreeBSD
Posts: 172
Blog Entries: 5

Rep: Reputation: 17
OK. Perhaps, create a script which will run as /bin/bash and which would do just that thing: use the real bash to process the stdin, only copying the input to syslog. Perhaps named pipe or fifo can be used somehow, or don't know what.

Rename /bin/bash to whatever you want and in bash scripts use #!/new/bash. Then call your script /bin/bash and let enforce it upon users to use it for their shell instead of real bash binary.

You'll have 2 steps to accomplish then:
1. Write the script in question.
2. Enforce it upon users to use it and not the real bash.
 
Old 08-23-2011, 09:14 AM   #5
kostya
Member
 
Registered: Mar 2010
Location: Moscow, Russia
Distribution: Ubuntu Studio, antix(mepis), Fedora, FreeBSD
Posts: 172
Blog Entries: 5

Rep: Reputation: 17
Deleted

Last edited by kostya; 08-23-2011 at 09:17 AM.
 
Old 08-29-2011, 09:29 PM   #6
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
This is worth a try http://linux.die.net/man/1/rootsh, see also http://linux.die.net/man/1/script.
A normal user should not be able to edit /etc/profile...
 
Old 08-30-2011, 05:16 AM   #7
kostya
Member
 
Registered: Mar 2010
Location: Moscow, Russia
Distribution: Ubuntu Studio, antix(mepis), Fedora, FreeBSD
Posts: 172
Blog Entries: 5

Rep: Reputation: 17
Well in bash manual there are various invocation options which can alter the desired behavior defined in config files, such as --rcfile, --norc, --noprofile.

Then it says the following:
Quote:
If the shell is started with the effective user (group) id not equal to
the real user (group) id, and the -p option is not supplied, no startup
files are read, shell functions are not inherited from the environment,
the SHELLOPTS, BASHOPTS, CDPATH, and GLOBIGNORE variables, if they
appear in the environment, are ignored
, and the effective user id is
set to the real user id. If the -p option is supplied at invocation,
the startup behavior is the same, but the effective user id is not
reset.
I wonder if there are ways to disable the very possibility for users to run bash with these options that can disable the limitations you want to set up to your system.
 
Old 08-30-2011, 05:21 AM   #8
kostya
Member
 
Registered: Mar 2010
Location: Moscow, Russia
Distribution: Ubuntu Studio, antix(mepis), Fedora, FreeBSD
Posts: 172
Blog Entries: 5

Rep: Reputation: 17
After all, a user can compile and install his own version of bash in his home directory and that one will be free from following any policies invoked through /etc/profile but will read $HOME/etc/profile instead, for example.
Are you planning to forbid users to compile and install their own stuff?
 
Old 08-31-2011, 02:47 PM   #9
Paul.Preston
LQ Newbie
 
Registered: Aug 2011
Location: London, UK
Distribution: Red Hat, CentOS
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by kostya View Post
After all, a user can compile and install his own version of bash in his home directory and that one will be free from following any policies invoked through /etc/profile but will read $HOME/etc/profile instead, for example.
Are you planning to forbid users to compile and install their own stuff?
I think we are going to far with this... I simply want to force all the input to logger (what I'm going to do with it once its with rsyslogd is not in a scope).

I have seen number of solutions which are easy to trick. I'm looking for something that will leave no choice for user ...

Please keep in mind that other shells are blocked, so they are not in scope - the only one that I'm interested in and that is allowed is bash.


Kind Regards,
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SU logging configuration on RHEL 5.4 kmslick Linux - Software 2 05-17-2010 09:33 AM
Rsyslogd start problem parmeshwer Linux - Software 1 02-03-2010 04:58 PM
RHEL 4 not logging ON in CUI mode meherpavan Linux - Kernel 1 09-27-2009 05:34 AM
rsyslogd configuration wayloud Linux - Server 2 10-14-2008 03:33 AM
My root user does't getting logging to RHEL ES 4.0 installed pc siri.siri143 Linux - Newbie 2 11-05-2007 12:22 PM


All times are GMT -5. The time now is 01:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration