JP Vossen on 19 Sep 2018 09:00:24 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Follow-up: PLUG West "Echo [Terminal] 23: Watching Terminals for Fun and Profit"

Something else to keep in mind is that Charles' solution can be applied without prior preparation, which on one hand is really cool, but on the likely is it? If you want this, you probably want it already and before anything happens and/or for general auditing.

I did find this one that uses LD_PRELOAD tricks to "Log every executed command to syslog."

And this is a cool `snoopy` output format from $WORK (all 1 line):
message_format = "[user:%{username} date:%{datetime} uid:%{uid} sid:%{sid} tty:%{tty} cwd:%{cwd} filename:%{filename}]: %{cmdline}"

On 09/19/2018 10:57 AM, K.S. Bhaskar wrote:
Charles developed the code as a proof-of-concept for a demo. But if people on the list think it is likely to be useful, we can have him spend some time to make a more production-grade tool, either in C or in Go (using a Go API to YottaDB that we are developing). So let me take a poll of the group: would you use a tool like the one he demonstrated if it existed as production grade code? It will be FOSS (AGPL v3 is the license we use) and available from Gitlab.

– Bhaskar

On Tue, Sep 18, 2018 at 5:26 PM, JP Vossen < <>> wrote:

    Thanks to Charles Hathaway for the PLUG West "Echo [Terminal] 23:
    Watching Terminals for Fun and Profit" preso.  It looks like the
    demo/PoC code is at
    <> and the
    general idea is:
    strace -p <PID> -e write,read -xx -s 4096 | termrec <OPTIONS>
                     -xx = output in hex, -s is size

    Following up on that, but nothing below works after the fact, it all
    needs to be done before:
    1. Someone at work found a bash auditing tool, but it's complicated
    to install.  Unfortunately, that's *ALL* the details I have right now.
    2. Similarly, as I understand it Linux `auditd` can be used to log
    shell commands (but probably not the output).  I've never actually
    done it, but more details below.
    3. I've used this, but it's quick & very dirty and I really don't
    like it:
             export PROMPT_COMMAND='logger -p local1.notice -t
    "LinuxAuditLog[$$]" "SSH: $SSH_CONNECTION USER: $USER PATH: $PWD
    COMMAND: $(fc -ln -1)"'

    Linux Command line logging:
    Use Bash itself (I'd forgotten this one, and you'll almost certainly
    have to re-compile your own):
    ** l. There is a new configuration option (in config-top.h) that
    forces bash to forward all history entries to syslog.

    "use auditd"...
    ** rootsh (
    *** "rootsh is a logging wrapper for shells. It starts a shell with
    logging of input/output. You can run rootsh as a standalone
    application if you only want to log your own user’s session. If you
    call rootsh with additional commands, these will be passed to the

    Charles and I also had a brief discussion about testing in Bash but
    we got interrupted and never finished, and I'm not sure I really
    understand the question.  But maybe this will be interesting: <>
    "shUnit2 is a xUnit unit test framework for Bourne based shell
    scripts, and it is designed to work in a similar manner to JUnit,
    PyUnit, etc.. If you have ever had the desire to write a unit test
    for a shell script, shUnit2 can do the job."

    Otherwise, I think I've used the Perl testing framework as a kind of
    wrapper for some testing, and I've written really primitive tests in
    bash itself for something else.  IIRC that was mostly just a pile of
    `grep`s in a function with "[ OK  ]" or "[NOTOK]" output.

    We can start a new thread for this with more details if needed.

--  -------------------------------------------------------------------
JP Vossen, CISSP | |
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --