Re: process accounting

mark.securityfocus_at_winksmith.com
Date: 05/28/03

  • Next message: Andrew Griffiths: "Re: more on linux hardening"
    Date: Tue, 27 May 2003 18:50:06 -0400
    To: Reveret Julien <shaddai@nerim.net>
    
    

    On Tue, May 27, 2003 at 07:15:02PM +0200, Reveret Julien wrote:
    > > > What you can do is patch your system with grsec patches, or patch your
    > > > users' shell. There is a patch for bash which makes bash logs everything
    > > > that is typed (I don't remember the url, search for bash+logging+patch).
    > >
    > >
    > > Why don't you use the good old process accounting feature ?
    >
    > Because this guy wants to log all the arguments of every command run by
    > users, process accounting doesn't.

    also, there are commands which bash will execute, but do not
    translate into a separate command (builtins). these include,
    but are not limited to: cd, dirs, for, while, alias, set,
    export, <variable-assignment>, <file-sourcing>, and so forth.

    an interesting approach would be to do something like:

            cat < /etc/passwd

    the user ran "cat" and that is logged, but the interesting
    part of the activity (namely the looking at the password
    file) is not logged.

    more, the following script:

            while read line
            do
                    echo $line
            done < /etc/passwd

    is all shell builtin's, nothing will be logged as no exec's
    occur, but i've read the password file nonetheless.

    -- 
    Mark Smith
    mark at winksmith dot com
    mark at tux dot org
    

  • Next message: Andrew Griffiths: "Re: more on linux hardening"