critical server commands logging

critical server commands logging

[Prashant Desai]

Hello everybody

  i want to log each and every commands which 
each user gives during  their login session to the
redhat linux 7.1/6.1/7.0 servers these server are very
critical for us and as there are multiple users around
5 whom are using these server , ya all the logging
should go to the syslog server , 

    has any one done this ? how ?   
 
   is this  possible  ?? how ? any  pointers would be
greatly appritiatted.

 
regards
Prashant



__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: critical server commands logging

[@ 2003-01-11 18:26 UTC (permalink / raw)]

Hi, 
Trusting the shell to do that is not very secure. You can, for example
log all the session of the user. I think this will be more effective
than logging only the commands.

Regargs

On Sat, 11 Jan 2003 09:42:49 -0800 (PST)
Prashant Desai <pressy_sun@yahoo.com> wrote:

>    i want to log each and every commands which 
>  each user gives during  their login session to the
>  redhat linux 7.1/6.1/7.0 servers these server are very

-- 
            [alpha1] 
	 
 -[ infinity.obfuscated.info ]-
 
              jmp .

critical server commands logging

[Prashant Desai]

Hello everybody

  i want to log each and every commands which 
each user gives during  their login session to the
redhat linux 7.1/6.1/7.0 servers these server are very
critical for us and as there are multiple users around
5 whom are using these server , ya all the logging
should go to the syslog server , 

    has any one done this ? how ?   
 
   is this  possible  ?? how ? any  pointers would be
greatly appritiatted.

 
regards
Prashant



__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: critical server commands logging

[Stephen Satchell]

At 09:42 AM 1/11/03 -0800, Prashant Desai wrote:
>   i want to log each and every commands which
>each user gives during  their login session to the
>redhat linux 7.1/6.1/7.0 servers these server are very
>critical for us and as there are multiple users around
>5 whom are using these server , ya all the logging
>should go to the syslog server ,
>
>     has any one done this ? how ?
>
>    is this  possible  ?? how ? any  pointers would be
>greatly appritiatted.

If the server is so critical, why are these five people doing *anything* on 
it?  Boxes are so cheap that it may be better for the five users to use a 
less critical server.  Disable remote shell access to the server (so in 
order to log on, someone has to use the console) and lock up the console.

Maintenance functions can be scripted, and then your scripts can use the 
logger(1) function to indicate who and what.  Scripts would also perform 
sanity checks on the changes to be made on the server, so that 
misconfiguration becomes less of a problem.

If you absolutely must allow shell access, you can take the source of bash 
and patch it to include calls to the syslog function to log command-line 
input.  Unless you are very, very careful, though, you will catch virtually 
all script-based activity built into the system, which makes for a very 
large log.  On the other hand, if you go too far in the other direction, 
people can create and execute scripts and you will never know what was in 
those scripts.

Better to compartmentalize.

Satch



-- 
The human mind treats a new idea the way the body treats a strange
protein:  it rejects it.  -- P. Medawar
This posting is for entertainment purposes only; it is not a legal opinion.

Re: critical server commands logging

[urgrue]

there was some kind of "virtual tty" program, it might even have been a 
kernel patch.
if i remember correctly it allows you to capture every keystroke and even 
screen output.
im sorry i dont remember the name, maybe someone else does.

>At 09:42 AM 1/11/03 -0800, Prashant Desai wrote:
>>   i want to log each and every commands which
>>each user gives during  their login session to the
>>redhat linux 7.1/6.1/7.0 servers these server are very
>>critical for us and as there are multiple users around
>>5 whom are using these server , ya all the logging
>>should go to the syslog server ,
>>
>>     has any one done this ? how ?
>>
>>    is this  possible  ?? how ? any  pointers would be
>>greatly appritiatted.
>
>If the server is so critical, why are these five people doing *anything* 
>on it?  Boxes are so cheap that it may be better for the five users to use 
>a less critical server.  Disable remote shell access to the server (so in 
>order to log on, someone has to use the console) and lock up the console.
>
>Maintenance functions can be scripted, and then your scripts can use the 
>logger(1) function to indicate who and what.  Scripts would also perform 
>sanity checks on the changes to be made on the server, so that 
>misconfiguration becomes less of a problem.
>
>If you absolutely must allow shell access, you can take the source of bash 
>and patch it to include calls to the syslog function to log command-line 
>input.  Unless you are very, very careful, though, you will catch 
>virtually all script-based activity built into the system, which makes for 
>a very large log.  On the other hand, if you go too far in the other 
>direction, people can create and execute scripts and you will never know 
>what was in those scripts.
>
>Better to compartmentalize.
>
>Satch
>
>
>
>--
>The human mind treats a new idea the way the body treats a strange
>protein:  it rejects it.  -- P. Medawar
>This posting is for entertainment purposes only; it is not a legal opinion.
>
>-
>To unsubscribe from this list: send the line "unsubscribe linux-admin" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: critical server commands logging

[Mike Dresser]

On Sat, 11 Jan 2003, urgrue wrote:

> there was some kind of "virtual tty" program, it might even have been a
> kernel patch.
> if i remember correctly it allows you to capture every keystroke and even
> screen output.
> im sorry i dont remember the name, maybe someone else does.

Perhaps ttysnoop?

Re: critical server commands logging

[Glynn Clements]

urgrue wrote:

> there was some kind of "virtual tty" program, it might even have been a 
> kernel patch.
> if i remember correctly it allows you to capture every keystroke and even 
> screen output.
> im sorry i dont remember the name, maybe someone else does.

Probably ttysnoop and/or telnetsnoopd (a "snooping" version of
telnetd).

However, this will only get you so far. Someone who is actively trying
to do something malicious without getting caught can find a way around
almost any logging mechanism which you install.

E.g. logging the telnet/ssh connection can be circumvented by the
following method:

1. Log in.
2. Generate a PGP key-pair.
3. Display the public key (i.e. send it back to the client).
4. Send a script which has been encrypted with the public key.
5. Decrypt the script.
6. Execute the script.
7. Delete the PGP key-pair.

As the private key is never sent over the connection, you have no way
of seeing what's in the script.

If you think that the above would look suspicious, bear in mind that
there are a great many ways in which the process can be obfuscated.

Consider the situation where the user creates a text file (e.g. a
script) by using a text editor (e.g. vi) interactively; deducing the
exact contents of the file by examining the keystrokes which are
logged is far from trivial.

-- 
Glynn Clements <glynn.clements@virgin.net>

Re: critical server commands logging

[Saint Neon]

This is somewhat unconventional, but works.
You could sniffer programs on your server, without too
much worries about load.

sniffit is a good program. You can find it here:

http://reptile.rug.ac.be/~coder/sniffit/sniffit.html

You can specify the host connections that you want to
log. The configuration file packs lots of punch and
power into it.

Neon.

--- Glynn Clements <glynn.clements@virgin.net> wrote:
> 
> urgrue wrote:
> 
> > there was some kind of "virtual tty" program, it
> might even have been a 
> > kernel patch.
> > if i remember correctly it allows you to capture
> every keystroke and even 
> > screen output.
> > im sorry i dont remember the name, maybe someone
> else does.
> 
> Probably ttysnoop and/or telnetsnoopd (a "snooping"
> version of
> telnetd).
> 
> However, this will only get you so far. Someone who
> is actively trying
> to do something malicious without getting caught can
> find a way around
> almost any logging mechanism which you install.
> 
> E.g. logging the telnet/ssh connection can be
> circumvented by the
> following method:
> 
> 1. Log in.
> 2. Generate a PGP key-pair.
> 3. Display the public key (i.e. send it back to the
> client).
> 4. Send a script which has been encrypted with the
> public key.
> 5. Decrypt the script.
> 6. Execute the script.
> 7. Delete the PGP key-pair.
> 
> As the private key is never sent over the
> connection, you have no way
> of seeing what's in the script.
> 
> If you think that the above would look suspicious,
> bear in mind that
> there are a great many ways in which the process can
> be obfuscated.
> 
> Consider the situation where the user creates a text
> file (e.g. a
> script) by using a text editor (e.g. vi)
> interactively; deducing the
> exact contents of the file by examining the
> keystrokes which are
> logged is far from trivial.
> 
> -- 
> Glynn Clements <glynn.clements@virgin.net>
> -
> To unsubscribe from this list: send the line
> "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at 
http://vger.kernel.org/majordomo-info.html


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com