Bash logging patches
Posted 06-12-2012 at 12:25 PM by unSpawn
Tags audit trail, bash logging, bash patch, syslog
Over the years we've seen quite a few "I want to log everything" questions asked for which I listed some pointers a while ago in several posts. To complement a recent "I want to capture all the operations performed in the terminal" question (thread: How to Capture a Unix Terminal Session?) I looked for Bash patches. Long story short: Bash 4 can be compiled with syslog support but still that shell will run as the user who logs in AFAIK. (So depending on your requirements for coverage and invasiveness of available solutions a multi-layered approach may be a better strategy.)
Patch availability:
- Bash 2 patch logs time, terminal, hostname and commands of all users into a single file: http://www.evio.dk/bashlog (set append-only extended attribute and have rsyslog read the file into (remote) syslog?),
- Bash 2 patch by Antonomasia (archive.org copy): http://web.archive.org/web/200912120...ols/bash.patch (used at the time in the Honeypot project IIRC),
- Bash 3 patch http://mywiki.wooledge.org/BashFAQ/077: http://wooledge.org/~greg/bash_logging.txt
- another Bash 3 patch: http://sock-raw.org/papers/bash_history
- Bash 4 is able to log the history to syslog: http://wiki.bash-hackers.org/bash4#misc (http://www.mail-archive.com/info-gnu.../msg00870.html, http://www.mail-archive.com/info-gnu.../msg00870.html)
Other reading material (do sort good implementations from bad ones):
http://blog.rootshell.be/2009/02/28/...ory-to-syslog/ (and http://jablonskis.org/2011/howto-log...ory-to-syslog/)
http://www.packetfu.org/hpl.html
http://administratosphere.wordpress....shell-command/
http://www.linuxquestions.org/questi...9/#post3604944
Also see:
Audit: http://people.redhat.com/sgrubb/audit/ (also see http://www.redhat.com/archives/linux.../msg00014.html for Steve Grubb's Bash patch and pages like http://www.cyberciti.biz/tips/linux-...to-a-file.html and https://www.wzdftpd.net/docs/selinux/audit.html for audit examples)
Rootsh logs all echoed keystrokes and terminal output to a file and/or to syslog: http://sourceforge.net/projects/rootsh/
lastcomm: http://www.cyberciti.biz/tips/howto-...ccounting.html
Snoopy Logger logs commands to syslog, with uid and sid and tty path: http://sourceforge.net/projects/snoopylogger/
FUSE loggedFS: http://loggedfs.sourceforge.net/ (example: http://www.linuxquestions.org/questi...scalls-813645/)
PAM selective logging per TTY: /usr/share/doc/pam-*/txts/README.pam_tty_audit
An LQ members own logging solution: http://www.linuxquestions.org/questi...3/#post3664545
*Do* ask:
If after reading the above you have questions about how and what to log please post your thread in the LQ Linux - Security forum.
Patch availability:
- Bash 2 patch logs time, terminal, hostname and commands of all users into a single file: http://www.evio.dk/bashlog (set append-only extended attribute and have rsyslog read the file into (remote) syslog?),
- Bash 2 patch by Antonomasia (archive.org copy): http://web.archive.org/web/200912120...ols/bash.patch (used at the time in the Honeypot project IIRC),
- Bash 3 patch http://mywiki.wooledge.org/BashFAQ/077: http://wooledge.org/~greg/bash_logging.txt
- another Bash 3 patch: http://sock-raw.org/papers/bash_history
- Bash 4 is able to log the history to syslog: http://wiki.bash-hackers.org/bash4#misc (http://www.mail-archive.com/info-gnu.../msg00870.html, http://www.mail-archive.com/info-gnu.../msg00870.html)
Other reading material (do sort good implementations from bad ones):
http://blog.rootshell.be/2009/02/28/...ory-to-syslog/ (and http://jablonskis.org/2011/howto-log...ory-to-syslog/)
http://www.packetfu.org/hpl.html
http://administratosphere.wordpress....shell-command/
http://www.linuxquestions.org/questi...9/#post3604944
Also see:
Audit: http://people.redhat.com/sgrubb/audit/ (also see http://www.redhat.com/archives/linux.../msg00014.html for Steve Grubb's Bash patch and pages like http://www.cyberciti.biz/tips/linux-...to-a-file.html and https://www.wzdftpd.net/docs/selinux/audit.html for audit examples)
Rootsh logs all echoed keystrokes and terminal output to a file and/or to syslog: http://sourceforge.net/projects/rootsh/
lastcomm: http://www.cyberciti.biz/tips/howto-...ccounting.html
Snoopy Logger logs commands to syslog, with uid and sid and tty path: http://sourceforge.net/projects/snoopylogger/
FUSE loggedFS: http://loggedfs.sourceforge.net/ (example: http://www.linuxquestions.org/questi...scalls-813645/)
PAM selective logging per TTY: /usr/share/doc/pam-*/txts/README.pam_tty_audit
An LQ members own logging solution: http://www.linuxquestions.org/questi...3/#post3664545
*Do* ask:
If after reading the above you have questions about how and what to log please post your thread in the LQ Linux - Security forum.
