Re: process accounting
Date: 05/28/03

  • Next message: Andrew Griffiths: "Re: more on linux hardening"
    Date: Tue, 27 May 2003 18:50:06 -0400
    To: Reveret Julien <>

    On Tue, May 27, 2003 at 07:15:02PM +0200, Reveret Julien wrote:
    > > > What you can do is patch your system with grsec patches, or patch your
    > > > users' shell. There is a patch for bash which makes bash logs everything
    > > > that is typed (I don't remember the url, search for bash+logging+patch).
    > >
    > >
    > > Why don't you use the good old process accounting feature ?
    > Because this guy wants to log all the arguments of every command run by
    > users, process accounting doesn't.

    also, there are commands which bash will execute, but do not
    translate into a separate command (builtins). these include,
    but are not limited to: cd, dirs, for, while, alias, set,
    export, <variable-assignment>, <file-sourcing>, and so forth.

    an interesting approach would be to do something like:

            cat < /etc/passwd

    the user ran "cat" and that is logged, but the interesting
    part of the activity (namely the looking at the password
    file) is not logged.

    more, the following script:

            while read line
                    echo $line
            done < /etc/passwd

    is all shell builtin's, nothing will be logged as no exec's
    occur, but i've read the password file nonetheless.

    Mark Smith
    mark at winksmith dot com
    mark at tux dot org

  • Next message: Andrew Griffiths: "Re: more on linux hardening"