LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-11-2009, 02:03 PM   #1
ZiGz
LQ Newbie
 
Registered: Feb 2007
Posts: 5

Rep: Reputation: 0
Command logging ideas needed! ssh user@host "echo logme"


Hey guys,

I just wanted to ask if anyone here knows a way to log commands ran by users via ssh (ie: no bash shell).

I've got /etc/profile set up to use logger and logname to log whatever a user types in their bash shell to syslog-ng. This does not work to log what I and other sysadmins do in ssh loops (which I do often to do work on multiple servers). A very simple example of something we might do is:

for i in server1 server2 server3 ; do ssh user@$i "uname -a" ; done

I would like to log that 'user' ran 'uname -a'! I've experimented with a package called snoopy, which records all exec() calls made by users and it does indeed catch 'uname -a', but it spams the logs with a bunch of other system call info which I do not want. I've got syslog-ng and can set up whatever filters to catch stuff...i just need the commands to show up SOMEWHERE so that when something screws up we can audit and backtrack.

I was just wondering if anyone here has dealt with this problem before and if they had come up with anything?
 
Old 03-11-2009, 04:13 PM   #2
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 273Reputation: 273Reputation: 273
I blundered across this but haven't tried it out yet...
 
Old 03-11-2009, 06:30 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
The link explains using 'script'. I'd suggest using 'Rootsh' instead. Try both, you'll see why.
 
Old 04-01-2009, 08:11 PM   #4
ZiGz
LQ Newbie
 
Registered: Feb 2007
Posts: 5

Original Poster
Rep: Reputation: 0
Unfortunately, both of those monitor shell sessions. SSHd seems to be making exec() calls without invoking a proper shell. If i or any other admin wanted to, say, install snmpd on 15 boxes i'm not going to log into each one, im going to do for i in `cat serverlist` ; do ssh $i "sudo yum install snmpd -y" ; done.

It looks like I'm going to have to look at process accounting. Should probably do this anyways to keep track of config management daemons.

Anyways figured I'd ask. I've used psacct packages and they kind of suck. If anyone knows of something that could keep track of sshd feel free to post! Snoopy does it but it's kinda hokey, not sure how well it would stand up in a production environment.

Thanks
 
Old 04-02-2009, 02:14 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
There's other ways to log syscalls. In kernel 2.4 you had Syscalltrace and GRSecurity verbose logging. In kernel 2.6 GRSecurity should still be usable in terms of logging syscalls, else the Audit package should be able to. Whichever option you chose, it would need to be set up properly before use though the level of invasiveness depends on the distributions and kernels in use.
 
Old 04-04-2009, 01:48 AM   #6
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 7.7 (?), Centos 8.1
Posts: 17,847

Rep: Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584
Maybe I don't understand you, but what's wrong with using sudo?
From the sudo manpage:
Quote:
sudo can log both successful and unsuccessful attempts (as well as
errors) to syslog(3), a log file, or both. By default sudo will log
via syslog(3) but this is changeable at configure time or via the sudo-
ers file.
 
Old 04-15-2009, 02:08 AM   #7
ZiGz
LQ Newbie
 
Registered: Feb 2007
Posts: 5

Original Poster
Rep: Reputation: 0
Cool thanks for the info unSpawn. I will likely report back here once I finally get the chance to work on this. After a quick search, it looks like the latest 2.6.x series linux kernels have some pretty good accounting updates.

chrism01, sudo does indeed log even if you're calling a command from ssh without invoking a shell:
zigz$ ssh user@host1 "sudo this gets ran and logged on host1"

but nothing gets logged in this scenario:
zigz$ ssh user@host1 "this gets ran on host1 but does not get logged"

Sysadmins are not going to use sudo when they don't need to, and unprivileged users can't use sudo. Also if root ssh logins are enabled sudo is never needed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh not logging to lastlog when using "send command" function jockem Linux - Security 3 12-22-2008 02:12 AM
How to suppress "\M" when using echo command oskeewow Linux - Newbie 3 04-14-2008 01:05 AM
BASH: How to NOT echo to screen with "if echo $x | grep ".*"; then" eur0dad Programming 9 07-27-2006 02:14 PM
gmplayer message at start-"echo 1024 > /proc/sys/dev/rtc/max-user-freq" Mutation_1101 Slackware 7 01-11-2006 07:46 PM
Apache Related: "http://host/~user" instead of "http://host/~user/" ? scrawl Linux - Software 2 05-19-2003 12:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration