Auditing - Logging all commands and arguments

  • humbletech99
  • Proficient
  • Proficient
  • User avatar
  • Posts: 300

Post 3+ Months Ago

I want to increase my security and auditing on some systems by adding full logging of every command and all arguments to every command that is typed on any shell used on the system.

I have used sa before this only logs the command program, not the arguments which makes all the difference. Also, I'm not sure it will catch shell built-ins or people truncating files like so "> filename".

I have used snoopy before which I liked and seemed to work quite well although it does not seem to be supported any more since 2004 looking at the sourceforge site. Since this uses execve I'm not sure this will catch shell built-ins either in fact, and nor am I sure about packages/maintainability of doing this, but then considering it has not been updated in 3.5 years I doubt updates will be a problem... (of course this raises issues about security or bugs discovered in it if not maintained).

I've also found sudosh on google but this seems to be an imperfect approach since it requires giving people an alternate shell through sudo. What happens when logging all commands but one command is just "bash" and everything inside that command is a black box?

Ideally I'd like whatever auditing solution I implement to be shell neutral.

Sudo itself if completely inadequate because people "sudo su" and it would be difficult if not impossible to grant people access to only specific commands.


So what do you use for complete command auditing/logging?
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

I don't have an answer but I have a question. Who has time to read all those logs?
  • humbletech99
  • Proficient
  • Proficient
  • User avatar
  • Posts: 300

Post 3+ Months Ago

That's what logservers and automated analysis and alerting is for....

But also, imagine if something strange has happened, wouldn't you want to go and look at the commands happening on the system around that time?

In fact, this was the case a little while back with a dev at my work place. I caught him using an incorrect command which broke some of our websites. Luckily he used sudo command so I caught him through logs, but if he had instead done sudo su then I would have been stumped.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Just out of curiosity, what command broke your sites?
  • humbletech99
  • Proficient
  • Proficient
  • User avatar
  • Posts: 300

Post 3+ Months Ago

it was a chown or something that had a double dot in it as well as the dirs which changed the ownership of not just this dir but it's parent hence permissions on some webapp directories that were adjacent to the one the dev was working on. The dev did something stupid like
Code: [ Select ]
chown user:user . .. dir1 dir2

The . was ok but the .. screwed up.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

So the double dot told chown to go up one directory the same as it would the cd command. In your case, it was just a mistake and not an attempted Denial Of Service attack but I wonder what implications that has otherwise.
  • humbletech99
  • Proficient
  • Proficient
  • User avatar
  • Posts: 300

Post 3+ Months Ago

this is exactly why I want the auditing of full command __and__ argument logging independent on which shell is used.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Good luck finding that. I don't think that there is an all in one program for that. You may need 2 or 3 different things to cover all the angles.
  • humbletech99
  • Proficient
  • Proficient
  • User avatar
  • Posts: 300

Post 3+ Months Ago

I'd be willing to use 2 or 3 different things if they were solid to use and didn't require rebooting.

Post Information

  • Total Posts in this topic: 9 posts
  • Users browsing this forum: No registered users and 34 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.