Very Computer

by **Skibi de LaPie** » Thu, 31 Jan 2002 06:22:57

Whenever one logs onto console, his commands are written in file, for
example .bash_history, but when one logs on from pty device, then his
commands are not logged. How to log'em, and how to get the list of comamnds
given on the server? I'd like to monitor them, because i susspect an
intrusion.

greetz
Skibi de LaPies

by **Kasper Dupon** » Thu, 31 Jan 2002 06:57:34

> Whenever one logs onto console, his commands are written in file, for
> example .bash_history, but when one logs on from pty device, then his
> commands are not logged. How to log'em, and how to get the list of comamnds
> given on the server? I'd like to monitor them, because i susspect an
> intrusion.

Usually bash writes the commands to its history file no matter
which tty it is runing on. But if you have an intruder he
could easilly remove commands from .bash_history, in addition
to that, bash has a command to enable and disable saving of
commands in the history.

Logging commands being executed can be done in a lot of
different ways. But I don't know any that can be done out of
the box.

- You could modify your shell to log all commands through
syslog or something similar.
- You could have a seperate process trace all shells and
save everything they read from stdin.
- You could modify the kernel to log all communication
through the coresponding char devices.
- You could modify the kernel to log all execve syscalls.

--
Kasper Dupont

by **Skibi de LaPie** » Thu, 31 Jan 2002 07:14:33

> Usually bash writes the commands to its history file no matter
> which tty it is runing on. But if you have an intruder he
> could easilly remove commands from .bash_history, in addition
> to that, bash has a command to enable and disable saving of
> commands in the history.

As I'm a rookie, I don't know any command that does so, but the problem is
not logging on, when one is on tty, it logs, the problem is, that nothing is
written when one works remotely, or does a sudo or su, no trace, no history.
Even if I do so, and try to see the history after logout.
greetz
Skibi de LaPies

by **Kasper Dupon** » Fri, 01 Feb 2002 02:34:11

> > Usually bash writes the commands to its history file no matter
> > which tty it is runing on. But if you have an intruder he
> > could easilly remove commands from .bash_history, in addition
> > to that, bash has a command to enable and disable saving of
> > commands in the history.
> As I'm a rookie, I don't know any command that does so,

set +o history
set -o history

Quote:> but the problem is
> not logging on, when one is on tty, it logs, the problem is, that nothing is
> written when one works remotely, or does a sudo or su, no trace, no history.

Strange, whenever I use bash it always saves the history,
unless I explicitly turns it off.

Quote:> Even if I do so, and try to see the history after logout.
> greetz
> Skibi de LaPies

--
Kasper Dupont

by **Skibi de LaPie** » Fri, 01 Feb 2002 05:51:14

Quote:> Strange, whenever I use bash it always saves the history,
> unless I explicitly turns it off.

mine does not, but I think I've got the thing, there was no /etc/profile
HISTORYFILE set, so now I log all they do, except, and that is one thing I
do not understand, su... It does log what was done, when user was root
(why?), but there is no record if a user with wheel group privileges changed
to root (by usiong su). It is of course recorded in /var/log/messages, but
sometimes it's hard to knoe if it was done when user was, or wasn't root.
And the other thing, how to write a time stamp to so created history? (To

Any ideas how to cope with that?

This whole method has one point that compromises the idea - any user can see
it. :( By viewing /etc/profiles, but that's not so imporatnat anyway...

greetz
vermin