PaulDotCom mailing list archives
Re: A logging root shell
From: Jim Halfpenny <jim.halfpenny () gmail com>
Date: Tue, 22 Nov 2011 23:26:53 +0000
You can also evade this by running commands from within another program such as vi or by using the perl or python interpreter. Process accounting will record the commands that were executed but not any of the arguments. Hooking they exec system call might be a nice way to capture activity. Just some thoughts. Cheers, Jim On 22 November 2011 22:20, Champ Clark III [Quadrant] < cclark () quadrantsec com> wrote:
Pretty cool. However, with the built in bash syslog of history, there's no way to evade and not scripting required. Of course, If you aren't using bash, then it really doesn't matter. Another point, when I do it with the built in bash syslog of history, I make sure I don't have any other shell's installed. It's be trivial to evade if the user just runs ash/ksh/csh/tcsh :) On Nov 22, 2011, at 2:01 PM, Nils wrote: Thanks for your valuable feedback! I got an other neat approach off-list which I want to share with you: [Quote] The step we use to pass that PCI requirement for linux is to put the following inside of /etc/profile PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo $$ $USER "$(history 1)" | logger -p local2.info -t "shell_history"' logger being the transport to syslog/syslog-ng/rsyslog. There are some sly tricks to evade it, but this will pass their requirement. Just make sure the syslogging facility you use is sending and logging it on a separate machine. I prefer rsyslog. [\Quote] Cheers, Nils Am 21.11.2011 17:03, schrieb Nils: Hi guys, I´m looking into solutions to comply with PCI DSS requirement 10.2.2: (Logging: All actions taken by any individual with root or administrative privileges) especially on Linux systems. Therefore I´ve checked for ways to provide a shell which is logging all actions taken. I stumbled upon stuff like: mkfifo myfifo; logger -f myfifo & script -f myfifo rootsh sudoshell (ss) What are your experiences in this realm? Best solution would be something done with on-board means or a provided package of the Linux distribution, in this case Debian. Thanks! Nils _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com Champ Clark III (office) 904.253.7856 (mobile) 850.443.2440 (SOC) 800.538.9357 ext 101 cclark () quadrantsec com www.quadrantsec.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- A logging root shell Nils (Nov 21)
- Re: A logging root shell Owen Connolly (Nov 21)
- Re: A logging root shell Champ Clark III [Quadrant] (Nov 21)
- Re: A logging root shell Matt Erasmus (Nov 21)
- Re: A logging root shell Kevin Shaw (Nov 22)
- A logging root shell Nils (Nov 22)
- Re: A logging root shell Champ Clark III [Quadrant] (Nov 22)
- Re: A logging root shell Jim Halfpenny (Nov 22)
- Re: A logging root shell Jon Schipp (Dec 05)
- Re: A logging root shell Edward Frye (Dec 05)
- Re: A logging root shell Kevin Shortt (Dec 13)
- Re: A logging root shell Champ Clark III [Quadrant] (Nov 22)
- Re: A logging root shell Owen Connolly (Nov 21)
- <Possible follow-ups>
- Re: A logging root shell Geordy Rostad (Nov 22)
- Re: A logging root shell Mike Harris (Nov 22)
- Re: A logging root shell Nils (Nov 22)