How to log commands issued by specific user on Solaris? 2

[Eric33]

Hi,

I need to log all commands issued by a specific user from the time he logs into the server (either telnet or console) till he exits.

I can think of 2 options but both did not really work:

1. Use BSM - But it is logging too much info and is difficult to comprehend. All that I need are the commands issued by the user

2. Add the command "script -a /var/log/user_commands" into the user profile. - This works only partially as the user is able to stop the "script" by typing "exit". He is then free to issue commands that will not be audited.

Any suggestions?

Thanks.
Eric

 

[olded]

Hi:

You don't mention which shell you are using. If you are using ksh or csh, commands are saved in the file defined by the HISTFILE variable. When the user logs off, you could save off his HISTFILE. Of course, if security is a real issue, the user can edit that file before they log off.

 

[Eric33]

Hi Olded,

Thanks for your reply.

We are using the Bourne shell. We are logging the commands issued as part of our security control, so the log file should only be modifiable by root.

As such, the histfile method might not be good enough. Is there any other way we can achieve this?

Thanks.
Eric

 

[KenCunningham]

AFAIK Bourne doesn't support history (but bash does - maybe you're using that?). Not sure whether Bourne supports script - tried it on a Solaris 8 box and it appears to, so putting a script statement in the login file would record certain things, though is also easily bypassed by savvy users.

 

[Annihilannic]

I achieved something similar to this under SCO OpenServer by making HISTFILE a read-only variable and tailing the users' shell logs into a root-owned log. If they did edit their history file it would be too late because it was already in the root-owned version.

It means quite a few extra processes running (one tail and one perl per user ID), and is also fairly easy to circumvent (the user can just run a Bourne shell for example, then any commands they want - but at least I would know they had done that).

Can you filter BSM to only collect the information you want?

Annihilannic.

 

[coffeysm]

There is a JAVA gui on the Internet called BSMGUI. It can help you in parsing through the log files, I forgot the website though and the creator also has some documents on configuring BSM. I think there is a link from SUN's site or just goto google and look for bsmgui.

 

[Eric33]

Hi All,

Thanks for your replies.

My management is quite concern with security so any freeware is out for me.

I think I will force the user to log in using ksh instead of sh and adopt Annihilannic idea to do a tail of the histlog. I am totally new to perl...but well...guess this is a great chance to "encourage" myself to pick up the basics. =]

Thanks all again.
Eric

 

[Annihilannic]

Here is my SCO version which may give you some ideas, this goes in /etc/init.d/userlogger:

#!/bin/sh
#
# Combine users' shell logs into one file with timestamps.
# Note that LOGFILE can not be in the LOGDIR or this script
# will loop, filling up the log.

LOGDIR=/u/userlogs
LOGFILE=/u/userlog
ME=`basename $0`

startlogging() {
        echo "`date +%c`:$LOGNAME:($ME started)" >> $LOGFILE
        chmod 600 $LOGFILE

        cd $LOGDIR
        for USERLOG in *
        do
                tail -0f $USERLOG | /usr/local/bin/perl -nwe '
                        BEGIN {
                                # From the open() section on the perlfunc man page.
                                # Makes output unbuffered.
                                select(STDOUT); $| = 1;
                                $user = shift @ARGV;
                                $logfile = shift @ARGV;
                        }
                        # Filter out unwanted characters.
                        s/[^\040-\176\n]//g;
                        $command=$_;
                        use POSIX qw(strftime);
                        $now_string = strftime "%c", localtime;
                        open(LOGFILE,">>" . $logfile)
                                || die $0 . ": Unable to open " . $logfile . "\n";
                        printf(LOGFILE "%s:%s:%s",$now_string,$user,$command);
                        close(LOGFILE);
                ' $USERLOG $LOGFILE &
        done
}

stoplogging() {
        ps -ef | nawk '/tail -0f/ && ! /awk/ {print $2}' | xargs -l kill
        echo "`date +%c`:$LOGNAME:($ME stopped)" >> $LOGFILE
}

case "$1" in
        'start')
                startlogging
                ;;
        'stop')
                stoplogging
                ;;
        'restart')
                stoplogging
                startlogging
                ;;
        *)
                echo "Usage: $ME {start|stop|restart}"
                exit 1
                ;;
esac

I also have an associated cron job in the root crontab:

01 00 * * * /etc/init.d/userlogger restart

This ensures that any new users that are added are logged as well.

Also this was added to /etc/profile to set the appropriate history file and log the "login" and "logout" events:

readonly HISTSIZE=5000
readonly LINAME=$LOGNAME
TTY=`tty`
readonly HOMETTY=`basename $TTY`
readonly HISTFILE=/u/userlogs/$LINAME
export HISTSIZE HISTFILE LOGNAME TTY HOMETTY
print "#"$LINAME " " $HOMETTY" "`date` "Login">> $HISTFILE
trap "print '#'$LINAME ' ' $HOMETTY' '`date` 'Logout' >> $HISTFILE"  0 1 2 3

Annihilannic.

 

[spamly]

Annihilannic, you're making the rest of us administrators out here look like hacks. If you could lower the bar a little, we'd all appreciate it.

 

[Annihilannic]

:~/

Annihilannic.

 

[Eric33]

Hi Annihilannic,

Have not been checking this forum recently. Did not realise you have uploaded you script.

Thanks a lot for your assistance.
Eric