RHEL 6.1: bash logging to rsyslogd
 

Hello,

Over the last few days I have tried to find an effective solution for logging everything that is being typed under bash.

I have seen simple solutions where a trap is added to a /etc/profile file. However, it's not perfect for a few reasons:
- it can be easily changed/disabled by user
- last command is not logged
- there are some small glitches like when you hit enter it will log the last command, when you login log file is being filled with over 10 lines with empty commands.


Auditing has an important subject for many years... I would expect an operating system which has "Enterprise" in name to have some solution for this issue. I have tried researching available options for RHEL 6, but I couldn't find anything resonable.

I would like to get some opinions on subject. Perhaps there is a "redhat" way of implementing this functionality? If not, perhaps you can share your view on how it can be done?

Best Regards,

There is history file for bash so that you can recall "n" last commands issued through bash by a given user.
"n" is configured though .bashrc, I think. In bash you type `history` and it will give you the numbered list of past commands.

Don't know anything more about it, sorry.

This is a reactive solution plus it doesnt actually feed data to rsyslogd.

I'm looking for something more proactive. Effectively I'm looking for a way to pipe commands entered in bash to logger.

It has to be enforced on all users and it has to use rsyslogd

Kind Regards,

OK. Perhaps, create a script which will run as /bin/bash and which would do just that thing: use the real bash to process the stdin, only copying the input to syslog. Perhaps named pipe or fifo can be used somehow, or don't know what.

Rename /bin/bash to whatever you want and in bash scripts use #!/new/bash. Then call your script /bin/bash and let enforce it upon users to use it for their shell instead of real bash binary.

You'll have 2 steps to accomplish then:
1. Write the script in question.
2. Enforce it upon users to use it and not the real bash.

Deleted :)

This is worth a try http://linux.die.net/man/1/rootsh, see also http://linux.die.net/man/1/script.
A normal user should not be able to edit /etc/profile...

Well in bash manual there are various invocation options which can alter the desired behavior defined in config files, such as --rcfile, --norc, --noprofile.

Then it says the following:I wonder if there are ways to disable the very possibility for users to run bash with these options that can disable the limitations you want to set up to your system.

After all, a user can compile and install his own version of bash in his home directory and that one will be free from following any policies invoked through /etc/profile but will read $HOME/etc/profile instead, for example.
Are you planning to forbid users to compile and install their own stuff?

I think we are going to far with this... I simply want to force all the input to logger (what I'm going to do with it once its with rsyslogd is not in a scope).

I have seen number of solutions which are easy to trick. I'm looking for something that will leave no choice for user ...

Please keep in mind that other shells are blocked, so they are not in scope - the only one that I'm interested in and that is allowed is bash.


Kind Regards,