Re: root group in solaris

Tonnerre Lombard <tonnerre.lombard@xxxxxxxxxx> wrote:
On Thu, 2006-09-21 at 11:59 -0700, Keith Bucher wrote:
One option that I've used to log these commands is sudosh
(http://sourceforge.net/projects/sudosh/). It acts as a login
shell, but logs all commands/keystrokes and allows easy
playback/review of them for auditing.

What if one of the commands is /bin/ksh? Or if the person in question
runs sudo /bin/ksh?

Download the source (v1.6.3 is available from SourceForge). Try it. The
source code needs at least one code change to compile with GCC v4.x on
Solaris 8 - add #include <string.h> but it needs to be wrapped in #ifdef
HAVE_STRING_H and #endif since the autoconfigure process looks for it).

You will find that it actually runs the shell in an environment with pty
(pseudo-tty) input and output, and it logs the input and output. So, this
includes all the sub-processes, of course. In other words, it does do as
advertised and keylogs the activities of the super-user (if it is a
super-user who runs it). There's also a mechanism to replay what happened
- sudosh-replay - which can do the job at the same speed as the user typed
it, or faster if you set the command line options. This allows you to see
what the logged user saw.

Clearly, a cognizant root user could find the log files and remove them; I
don't think there is much you can do about that, unless you hacked sudosh
to log over a network connection to an unsubvertible machine.

There's supposed to be a version 2 product renamed EAS (Enterprise Audit
Shell) available at http://download.strchr.net but it requires
registration somewhere to get at the material so I haven't looked at it.
See the Sourceforge page for more information.

--
Jonathan Leffler (jleffler@xxxxxxxxxx)
STSM, Informix Database Engineering, IBM Information Management Division
4100 Bohannon Drive, Menlo Park, CA 94025-1013
Tel: +1 650-926-6921 Tie-Line: 630-6921
"I don't suffer from insanity; I enjoy every minute of it!"

Relevant Pages

  • Re: newbie question: alias for a login name
    ... You can create an alias that logs you onto a system. ... you can create many many aliases and scripts ... I also don't know what shell you are using. ... with no arguments places you in your $HOME directory. ...
    (comp.unix.shell)
  • Re: Reliable shell logs
    ... folx who made the patches... ... Or you could remove the shell from the /etc/shells. ... Subject: Reliable shell logs ... >> So the intruder cant delete the logs, you probaly shuld make this server ...
    (FreeBSD-Security)
  • Re: group managment question
    ... web server, or inn, etc. ... Not all this stuff is permissions. ... A shell is a program that interprets user input. ... Same thing every time he logs in. ...
    (alt.os.linux.suse)
  • Re: Running from command prompt
    ... "Cláudio Rodrigues" wrote: ... | What will happen if the user does not logon? ... And when he logs off what ... | options than messing with the shell. ...
    (microsoft.public.windows.terminal_services)
  • Re: login log time in seconds
    ... In article, sasa queer wrote: ... > But the auditing logs once again give the time in same manner ... > whenever the user logs into the system. ... program around the shell. ...
    (comp.unix.aix)