I have been interested in tracking all shell commands on my servers as well as putting something together for my "hacker terrarium". The general consensus is that you need to tweak the source code for the shell and recompile it. That might be the "cleanest" way to do it, but it's just not the easiest. It's best to just have a simple change that I can apply to hundreds of servers.
I came across a blog entry that had this gem buried in a diff file. All you really need to do is to add a function to /etc/profile, and you're done. Here is the snip:
function history_to_syslog
{
declare cmd
cmd=$(fc -ln -0)
logger -p local7.notice — SESSION = $$, CMD =$cmd
}
trap history_to_syslog DEBUG
The big part to that function is the "fc" (fix command) built-in command to bash. The -l option send the command to standard out and the -n suppresses command numbers. Check "man bash" for more details and options.
Once that function is in /etc/profile, fire up a "tail -f /var/log/messages" then start another session and test it out. You'll notice that shell commands get sent to syslog, but it has a delay of one command.
It's not as clean as modifying the source, but it does get the job done and should satisfy a lot of audit requirements.
Source of info:
http://posludio.wordpress.com/2007/11/02/bash-history-to-a-remote-syslog/
Posts
0 comments:
Post a Comment