Tonnerre Lombard <tonnerre.lombard@sygroup.ch> wrote:
On Thu, 2006-09-21 at 11:59 -0700, Keith Bucher wrote:
One option that I've used to log these commands is sudosh
(http://sourceforge.net/projects/sudosh/). It acts as a login
shell, but logs all commands/keystrokes and allows easy
playback/review of them for auditing.
What if one of the commands is /bin/ksh? Or if the person in question
runs sudo /bin/ksh?
Download the source (v1.6.3 is available from SourceForge). Try it. The
source code needs at least one code change to compile with GCC v4.x on
Solaris 8 - add #include <string.h> but it needs to be wrapped in #ifdef
HAVE_STRING_H and #endif since the autoconfigure process looks for it).
You will find that it actually runs the shell in an environment with pty
(pseudo-tty) input and output, and it logs the input and output. So, this
includes all the sub-processes, of course. In other words, it does do as
advertised and keylogs the activities of the super-user (if it is a
super-user who runs it). There's also a mechanism to replay what happened
- sudosh-replay - which can do the job at the same speed as the user typed
it, or faster if you set the command line options. This allows you to see
what the logged user saw.
Clearly, a cognizant root user could find the log files and remove them; I
don't think there is much you can do about that, unless you hacked sudosh
to log over a network connection to an unsubvertible machine.
There's supposed to be a version 2 product renamed EAS (Enterprise Audit
Shell) available at http://download.strchr.net but it requires
registration somewhere to get at the material so I haven't looked at it.
See the Sourceforge page for more information.
--
Jonathan Leffler (jleffler@us.ibm.com)
STSM, Informix Database Engineering, IBM Information Management Division
4100 Bohannon Drive, Menlo Park, CA 94025-1013
Tel: +1 650-926-6921 Tie-Line: 630-6921
"I don't suffer from insanity; I enjoy every minute of it!"
