SICUREZZA DI BASE: Log every user command
Wednesday, 03 February 2010 15:24
 |
 |
 |
How to log every user command in a secure way |
Log Every User Command in a Secure way - Version 0.2
## This small howto is meant to help you log every command on a unix system in a secure way. To be able to do this you just need sudo and the root account :-) Edit the file sudoers (SUN: /usr/local/etc/sudoers - LINUX: /etc/sudoers ) and add what you need like the follow example: Log Every User Command in a Secure way - Version 0.2
hal,Fabio
Table of Contents
1) INTRO
2) CONFIGURATION
3) TODO
4) REFERENCE
1) INTRO
## You can log correctly, in a secure way, both bash and ksh commands at the moment, while commands executed after switch-user (other than root) can be logged but without any secure trick. 1.1 WHAT YOU NEED
First of all download sudo from your preferred sunfreeware.com mirror and install it. 2) CONFIGURATION
2.1 SUDOERS
###################### BEGIN SUDOERS ######################
## THE HOSTS THAT YOU WANT TO CONTROL WITH THIS SUDO
Host_Alias TESTHOSTS = hostest1 , hostest2 , hostest3
## THE USER ALIAS YOU WANT
User_Alias ADMINTEAM = user1 , user2 , user3
## THE COMMAND ALIAS YOU WANT
Cmnd_Alias SU = /usr/bin/su , /bin/su
## Defaults specification
Defaults:ADMINTEAM rootpw,log_host
Defaults umask=0077
# Reset environment by default
Defaults env_reset,env_keep="WHOAMI CURRENT_DATE CPID HIST"
# User privilege specification
root ALL=(ALL) ALL
## WHO CAN DO WHAT
ADMINTEAM ALL = SU
ALL ALL = NOPASSWD: /usr/local/sbin/loguser.ksh
###################### END SUDOERS ######################
The env_keep option is needed to pass some var from /etc/profile to command executed from sudo while the other env-var are resetted, The last line is the most important one, allowing us to log every command acting like the root user without giving any passwords.2.2 PROFILE
Now edit /etc/profile and add the follow lines at the end:
###################### BEGIN PROFILE ######################
## Edit your profile to add /usr/ucb in your path
#LOG SESSION
SYS=`uname`
case $SYS in
Linux) HIST=.bash_history ;;
SunOS) HIST=.sh_history ;;
*) HIST=.sh_history ;;
esac
USER="`logname`"
WHOAMI="`whoami`"
CURRENT_DATE=`date +%Y%m%d_%H%M%S`
CPID=`echo $$`
export WHOAMI CURRENT_DATE CPID HIST
echo SHELLPID: $CPID
if [ "$USER" = "$WHOAMI" ]
then
echo "## NORMAL USER ##"
/usr/bin/tail -f ~/${HIST} |
sudo /usr/local/sbin/loguser.ksh
else
echo "## SU USER ##"
LOGNAME=$USER
WHOAMI=`whoami`
HISTFILE=/var/log/history/session_${CPID}_${LOGNAME}_${WHOAMI}_$CURRENT_DATE.log
export HISTFILE
fi
typeset -r HISTFILE >/dev/null 2>&1
##################### END PROFILE ######################
The first test tries to detect if you are a normal user or a switched-user one. In the "then" branch of the test we use the command "sudo /usr/local/sbin/loguser.ksh" to append lines to a file acting like root; in the "else" branch we avoid doing this because when you exit from the shell the tee remains appended. So the only thing we can do is to log every command but not like root; this is potentialy a problem THAT HAS TO BE ADDRESSED.
The last line is a shell command that makes a variable readonly, so nobody can change the $HISTFILE var.
2.3 /usr/local/sbin/loguser.ksh
Edit the file /usr/local/sbin/loguser.ksh with the follow line:
#!/bin/ksh -x
### BEGIN ###
/usr/bin/tail -f ~/${HIST} | /usr/bin/tee -a /var/log/history/session_${CPID}_${WHOAMI}_$CURRENT_DATE.log >/dev/null &
### END ###
And exec the follow command
chmod 700 /usr/local/sbin/loguser.ksh
chown root:root /usr/local/sbin/loguser.ksh
2.4 SYSTEM CHANGES
Create the dir /var/log/history/ then do:
groupadd -g 10000 logacc
mkdir /var/log/history/
chown root:logacc /var/log/history/
chmod 330 /var/log/history/
Remember to add every su user to the group logacc - root doesn't need this
Try to log on into the system!
3) TODO
TODO:
- the "tail -f" command answers with the last 10 lines; different syntax between Solaris and linux doesn't make corrections easy
- trace super user other than root in a secure way
4) REFERENCE
4.1 AUTHORS
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
4.2 LINKS