syslog config to show chmod 1

[allywilson]

Hi all,
What changes do I need to make so that anytime chmod is run on a directory/file (either specifically or anywhere on the system) it will appear in the syslog?

Anyone know?

Cheers

 

[Annihilannic]

You could replace the /usr/bin/chmod binary with a wrapper script. Note that this would not record any mode changes made directly by programmes (i.e. by using the chmod() system call rather than running the chmod binary). You would need to use some kind of kernel auditing facility to go to that level...

#!/usr/bin/ksh

echo $(date) $0 "$@" >> /tmp/chmod.log
ps -fp $$ $PPID >> /tmp/chmod.log
logger "chmod was used with these parameters: $@"
exec /usr/bin/chmod.orig "$@"

Annihilannic.

 

[allywilson]

Thanks Annihilannic - that's a pretty cool idea. It does lead me to think that it might be worth doing that for a lot of other specific commands as well (rm, chown, etc).

Are you able to point me in the direction of somewhere to investigate the kernel auditing facility, perhaps?

I only ask as there are a lot of people who know the root password of one of out solaris boxes (and they all genuinely need it, admin shift rotations, cover, etc.) but we recently noticed that one of the applications sitting on it had had one of its directories chmod'd and it wasn't listed in the history to trace back to when it was (hence my original question).

Thanks again.

 

[elgrandeperro]

Instead of that, I would suggest you run aide,tripwire or equivalent. This "profiles" your system in a simple database, and will alert on changes of mode, ownership or data. I think aide is the solaris version, tripwire has both old public and commercial versions.

 

[Annihilannic]

I agree with EGP, my method is something I would only recommend for temporary troubleshooting, if you want a broader, more permanent solution then follow his recommendations.

Annihilannic.