[ale] Command auditing
Synco Gibraldter
synco at xodarap.net
Mon May 5 23:41:54 EDT 2003
yes, i log all commands. there may better better [more secure ways] of
doing it, but i found a patch for bash quite a while ago and have applied
it to every install i've done. the patch is for bash 2.03 and is
attached.
synco
On Mon, 5 May 2003, Christopher Fowler wrote:
>
> Is anyone here doing command auditing? I would like every command executed
> via the shell to be send as an auth message to syslog. I have it wokring now
> but I had to modify the source code to ash to make this happen. I was hoping
> there was another way.
>
> I may have to stick to my current method since I'm also loggining commands
> executed with my cgi programs on the web server.
>
> Thanks,
> Chris
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
*** ./lib/readline/history.c.ORIG Mon Jan 1 00:53:55 2001
--- ./lib/readline/history.c Mon Jan 1 02:03:54 2001
***************
*** 30,35 ****
--- 30,36 ----
#endif
#include <stdio.h>
+ #include <syslog.h>
#if defined (HAVE_STDLIB_H)
# include <stdlib.h>
***************
*** 216,225 ****
/* Place STRING at the end of the history list. The data field
is set to NULL. */
void
! add_history (string)
char *string;
{
HIST_ENTRY *temp;
if (history_stifled && (history_length == max_input_history))
{
--- 217,241 ----
/* Place STRING at the end of the history list. The data field
is set to NULL. */
void
! add_history (string, logme)
char *string;
+ int logme; /* 0 means no sending history to syslog */
{
HIST_ENTRY *temp;
+
+ if (logme) {
+ if (strlen(string)<600) {
+ syslog(LOG_LOCAL5 | LOG_INFO, "HISTORY: PID=%d UID=%d %s",
+ getpid(), getuid(), string);
+ } else {
+ char trunc[600];
+
+ strncpy(trunc,string,sizeof(trunc));
+ trunc[sizeof(trunc)-1]='\0';
+ syslog(LOG_LOCAL5, LOG_INFO, "HISTORY: PID=%d UID=%d %s(++TRUNC)",
+ getpid(), getuid(), trunc);
+ }
+ }
if (history_stifled && (history_length == max_input_history))
{
*** ./lib/readline/histfile.c.ORIG Mon Jan 1 01:02:58 2001
--- ./lib/readline/histfile.c Mon Jan 1 01:05:25 2001
***************
*** 200,206 ****
buffer[line_end] = '\0';
if (buffer[line_start])
! add_history (buffer + line_start);
current_line++;
--- 200,207 ----
buffer[line_end] = '\0';
if (buffer[line_start])
! /* Ant: new 2nd arg means skip syslog */
! add_history (buffer + line_start, 0);
current_line++;
*** ./lib/readline/histexpand.c.ORIG Mon Jan 1 01:03:20 2001
--- ./lib/readline/histexpand.c Mon Jan 1 01:04:23 2001
***************
*** 1040,1046 ****
if (only_printing)
{
! add_history (result);
return (2);
}
--- 1040,1046 ----
if (only_printing)
{
! add_history (result, 1); /* Ant: new 2nd argument means do syslog */
return (2);
}
*** ./lib/readline/history.h.ORIG Mon Jan 1 01:13:54 2001
--- ./lib/readline/history.h Mon Jan 1 01:14:42 2001
***************
*** 80,86 ****
/* Place STRING at the end of the history list.
The associated data field (if any) is set to NULL. */
! extern void add_history __P((char *));
/* A reasonably useless function, only here for completeness. WHICH
is the magic number that tells us which element to delete. The
--- 80,86 ----
/* Place STRING at the end of the history list.
The associated data field (if any) is set to NULL. */
! extern void add_history __P((char *, int)); /* Ant added arg */
/* A reasonably useless function, only here for completeness. WHICH
is the magic number that tells us which element to delete. The
*** ./bashhist.c.ORIG Mon Jan 1 01:15:51 2001
--- ./bashhist.c Mon Jan 1 01:16:53 2001
***************
*** 565,571 ****
if (add_it)
{
hist_last_line_added = 1;
! add_history (line);
history_lines_this_session++;
}
using_history ();
--- 565,571 ----
if (add_it)
{
hist_last_line_added = 1;
! add_history (line, 1);
history_lines_this_session++;
}
using_history ();
More information about the Ale
mailing list