[logs] How to log - commands and file access
James B Horwath
Jim_Horwath at glic.com
Sat Nov 10 07:49:07 PST 2007
Most UNICES do a terrible job of command line logging. If the system does
log commands, it is very easy to circumvent unless you implement the audit
subsystem. Like Anton said, the audit subsystem produces large volumes of
data. Parsing audit data is tedious, resource hungry and error prone. In
the past I implemented a poor person's command logger in the /etc/profile
using:
#
# Log all commands executed on the
# system to syslog.
#
echo $- | /usr/bin/grep "i" > /dev/null 2>&1
if (( $? == 0 )); then
function dlog
{
typeset -i stat=$?
typeset x
x=$(fc -ln -0)
MY_TTY=`/usr/bin/tty | /usr/bin/sed 's/\/dev\///'`
MY_ID=`/usr/bin/who | /usr/bin/grep "${MY_TTY}" |
/usr/bin/awk '{print $1}'`
/usr/bin/logger -p daemon.notice -t "ksh euid: ${LOGNAME}
id: ${MY_ID} $$" Status ${stat} PWD ${PWD} TTY=`tty` \'${x# }\'
}
trap dlog DEBUG
fi
Although this works for the majority of cases, however there are problems:
- Users defining a large number of aliases experience a slow down in the
logon process
- WINScp didn't always work with the above
- Shell escapes are not logged
- Administrative interfaces like Smitty (AIX) do not log
NOTE: The AIX equivalent is auditbin.
Jim Horwath
"Anton Chuvakin" <anton at chuvakin.org>
Sent by: loganalysis-bounces at loganalysis.org
11/09/2007 03:09 PM
To
david.bigot at devoteam.com
cc
loganalysis at loganalysis.org
Subject
Re: [logs] How to log - commands and file access
> - all file access by process and username in real-time (not static) or
if
> it's not possible, which process and username access to some files (or
> directory) like /etc/shadow, /data/ ...
Unix binary audit is the answer to this one. Specifically,
- Solaris BSM audit
- HPUX Audit
- AIX <whatever they call it>
Be prepared to experience a flood of data. If you are doing it per
user, it will be much easier. Some allow (and some don't allow) it on
a per file/per directory basis, use it!
You can then centralize the resulting binary audit files into a log
management tool for reporting, analysis, searching, safekeeping, etc.
P.S. Since I just mentioned a log management tool, I need to please
Tina and say: I work for LogLogic that makes such tools.
Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.chuvakin.org
http://chuvakin.blogspot.com
http://www.info-secure.org
_______________________________________________
LogAnalysis mailing list
LogAnalysis at loganalysis.org
http://www.loganalysis.org/mailman/listinfo/loganalysis
-----------------------------------------
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law. If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited. If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20071110/fe418160/attachment.html
More information about the LogAnalysis
mailing list