10

I'm running a debian etch server where users will be logging into (hopefully) a chroot jail through ssh. How can I have the commands they execute logged in a way they cannot delete, nor prevent?

Malfist
  • 797
  • 3
  • 9
  • 21
  • see this question http://serverfault.com/questions/8851/live-view-of-linux-shell-commands-executed-by-another-user – hayalci Jul 13 '09 at 20:04

6 Answers6

11

install snoopy. If you only want to log the one user, do some syslog filtering fu.

Cian
  • 5,777
  • 1
  • 27
  • 40
4

I wrote a method to log all 'bash' commands/builtins into a text-file or a 'syslog' server without using a patch or a special executable tool.

It is very easy to deploy, as it is a simple shellscript that need to be called once at the initialization of the 'bash'. (just 'source' it from .bashrc for example) It is based on the idea of using bash DEBUG traps. See also this post on superuser.com

declare -rx HISTCONTROL=""                                  #does not ignore spaces or duplicates
declare -rx HISTIGNORE=""                                   #does not ignore patterns
declare -rx AUDIT_LOGINUSER="$(who -mu | awk '{print $1}')"
declare -rx AUDIT_LOGINPID="$(who -mu | awk '{print $6}')"
declare -rx AUDIT_USER="$USER"                              #defined by pam during su/sudo
declare -rx AUDIT_PID="$$"
declare -rx AUDIT_TTY="$(who -mu | awk '{print $2}')"
declare -rx AUDIT_SSH="$([ -n "$SSH_CONNECTION" ] && echo "$SSH_CONNECTION" | awk '{print $1":"$2"->"$3":"$4}')"
declare -rx AUDIT_STR="[audit $AUDIT_LOGINUSER/$AUDIT_LOGINPID as $AUDIT_USER/$AUDIT_PID on $AUDIT_TTY/$AUDIT_SSH]"
set +o functrace                                            #disable trap DEBUG inherited in functions, command substitutions or subshells, normally the default setting already
shopt -s extglob                                            #enable extended pattern matching operators
function audit_DEBUG() {
  if [ "$BASH_COMMAND" != "$PROMPT_COMMAND" ]               #avoid logging unexecuted commands after 'ctrl-c or 'empty+enter'
  then
    local AUDIT_CMD="$(history 1)"                          #current history command
    if ! logger -p user.info -t "$AUDIT_STR $PWD" "${AUDIT_CMD##*( )?(+([0-9])[^0-9])*( )}"
    then
      echo error "$AUDIT_STR $PWD" "${AUDIT_CMD##*( )?(+([0-9])[^0-9])*( )}"
    fi
  fi
}
function audit_EXIT() {
  local AUDIT_STATUS="$?"
  logger -p user.info -t "$AUDIT_STR" "#=== bash session ended. ==="
  exit "$AUDIT_STATUS"
}
declare -fr +t audit_DEBUG
declare -fr +t audit_EXIT
logger -p user.info -t "$AUDIT_STR" "#=== New bash session started. ===" #audit the session openning
#when a bash command is executed it launches first the audit_DEBUG(),
#then the trap DEBUG is disabled to avoid a useless rerun of audit_DEBUG() during the execution of pipes-commands;
#at the end, when the prompt is displayed, re-enable the trap DEBUG
declare -rx PROMPT_COMMAND="trap 'audit_DEBUG; trap DEBUG' DEBUG"
declare -rx BASH_COMMAND                                    #current command executed by user or a trap
declare -rx SHELLOPT                                        #shell options, like functrace
trap audit_EXIT EXIT  

see the method explained in details here: http://blog.pointsoftware.ch/index.php/howto-bash-audit-command-logger

cheers Francois Scheurer

  • Hi Francois! Thanks a lot for sharing your code with us. I tried to send every command to an udp port by nc, adding this last line to /etc/bashrc: – George Y Dec 19 '20 at 08:12
2

You may try ttyrpld. It's more than you want because it will log the whole tty.
I haven't used it myself but the way it's working (in kernel) makes that user can't alter logs.

radius
  • 9,545
  • 23
  • 45
  • cool, I'll check it out. If it plays nice with everything it'll be what I need. I can change it's log files to append-only just to make sure – Malfist Jul 13 '09 at 17:55
  • Cian answer using snoopy seems to be more like what you are looking for. – radius Jul 13 '09 at 18:11
0

Use a grsecurity patched kernel. There is a kernel option exactly for this purpose.

cstamas
  • 6,607
  • 24
  • 42
-1

You could enable system auditing.

Geoff Fritz
  • 1,717
  • 9
  • 11
  • 1
    and how does one do that? – Amandasaurus Jan 22 '10 at 15:11
  • Start with the man pages for auditd and go from there. It might not be part of the base Debian install, but the audit facility is a Linux kernel component, so the userland tools can be installed and used on any distribution. – Geoff Fritz Jan 22 '10 at 18:24
-3

bash keeps a command history of a specified size. You the admin can set that size, and easily write a script which goes and fetches that history per user via cron.

Recursion
  • 609
  • 2
  • 7
  • 19
  • 1
    .bash_history is for convenience, not for security. There a number of reasons for this, not the least of which being that it's user-editable (or at least appendable). – Matt Jul 13 '09 at 18:43