HPE Community
Operating System - HP-UX
1833017 Members
2346 Online
110048 Solutions
New Discussion

capture excuted commands

 
Systeemingenieurs Infoc
Valued Contributor

‎02-20-2002 04:41 AM

‎02-20-2002 04:41 AM

capture excuted commands

Is there a way to capture all the executed commands (and their arguments) in a shell ? It is important that no-one can defraud these
loggings. What have I tried uptil now :
auditing & accounting. They both didn't give the intended results.

Is there a way to force telnetd/rlogind to provide these loggings (hpux 11.00 & 10.20) ? Or is it possible/wise to alter public-available sources to privide these means ?

tia,
hein coulier
A Life ? Cool ! Where can I download one of those from ?
0 Kudos
Reply
11 REPLIES 11
harry d brown jr
Honored Contributor

‎02-20-2002 04:49 AM

‎02-20-2002 04:49 AM

Re: capture excuted commands

Not unless you write your own shell!

The best security policy, is to keep users out of shells!!!

Users should run applications, not be in shells! Ask any system security auditor!


live free or die
harry
Live Free or Die
0 Kudos
Reply
Steve Steel
Honored Contributor

‎02-20-2002 05:14 AM

‎02-20-2002 05:14 AM

Re: capture excuted commands

Hi

Applications are better than scripts .BUT

If you have the space then you could try the script command in the users profile

script uniquename
exit

Then everything typed is copied in the unique file and when an exit occurs the second exit throws the user out


Steve Steel
If you want truly to understand something, try to change it. (Kurt Lewin)
0 Kudos
Reply
Systeemingenieurs Infoc
Valued Contributor

‎02-20-2002 06:36 AM

‎02-20-2002 06:36 AM

Re: capture excuted commands

"The best security policy, is to keep users out of shells!!! "

That is correct, but what if it is the wish of the security auditors to track the actions of all users, including the sysadmins themselves (which is the case here) ? For the record, our production machines do not contain any end-users ; only 'general accounts' (eg, root, oracle, application-users, intervention-users, ...)

I thought of script, but it has the disadvantage that anyone can delete his own loggings, and it includes a lot of garbadge.

hein coulier

A Life ? Cool ! Where can I download one of those from ?
0 Kudos
Reply
Stefan Farrelly
Honored Contributor

‎02-20-2002 07:03 AM

‎02-20-2002 07:03 AM

Re: capture excuted commands


The best thing to do is let your users use secure shell only (Restricted shell - rsh). This will limit severely what they can do, any anything else they need to do you can write a C program to do and thus log it somewhere they cant see.

If you use HISTFILE and shell logging this can be very easily deleted or removed by a user so not so safe.

Other option is to replace their shell with your own shell which is just a C program which logs everything they do, and then passes all commands to a proper shell - so they still have normal functionality (using the 'system' C call).
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Systeemingenieurs Infoc
Valued Contributor

‎02-20-2002 07:18 AM

‎02-20-2002 07:18 AM

Re: capture excuted commands

I thought of an own shell wrapper to. But what if i execute another shell (say sh)? I thought that all the commands executed under sh wont be passed to my shell-wrapper. So my conclusion was that it's better to elevate the logging point from the shell to the telnetd or rlogind.

rsh is not really acceptable for root or the other users.

For some users we will indeed use menu-driven 'shells'.
A Life ? Cool ! Where can I download one of those from ?
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎02-20-2002 07:27 AM

‎02-20-2002 07:27 AM

Re: capture excuted commands

As I noted before, if you wrote your own "shell" you would have to limit the commands users can issue because a lot of them allow the user to "escape" out, like vi and more to name the most common. Maybe we need to go back to the TTY (paper console) days for consoles, and only allow administration at the console? I agree that it's a pain, and hopefully someone, someday will address it.

live free or die
harry
Live Free or Die
0 Kudos
Reply
Steven Sim Kok Leong
Honored Contributor

‎02-20-2002 07:34 PM

‎02-20-2002 07:34 PM

Re: capture excuted commands

Hi,

man acctcom, runacct for the available usage accounting tools on HP-UX.

Setting history is one good way eg. in /etc/profile within traps,

export HISTFILE=/logs/`id -un`
readonly HISTFILE

Make sure that the /logs directory is set with the stick-bit (t) on. The only problem is that the user can truncate his log if he is aware of this implementation.

Expect scripting is another way to capture the output in an expect script. I have seen it being done (the log is huge because it logs everything from screen outputs as well) but I do not have the script.

Hope this helps. Regards.

Steven Sim Kok Leong
0 Kudos
Reply
Kenny Chau
Trusted Contributor

‎02-20-2002 07:58 PM

‎02-20-2002 07:58 PM

Re: capture excuted commands

Hi,

If you want to trap what commands the users had typed and the output, you can put this command in the .profile (or script) of that user:

script -a /logging/loga

However, when the user logout by type exit, it will only exit the script command and the user need to type exit again to exit the telnet session. But the main point is when user type the first exit, it will show:

Script started, file is /logging/loga
Script done, file is /logging/loga

In this case, the user can delete that log because it has permission to do that. So I will suggest to use this:

script -a /logging/loga | tee -a /rootdir/logb

With this command, user will only know the log in /logging/loga but did not know there is another log in /rootdir/logb.

Hope this helps.
Kenny.
Kenny
0 Kudos
Reply
Wodisch
Honored Contributor

‎02-21-2002 12:26 PM

‎02-21-2002 12:26 PM

Re: capture excuted commands

Hello Hein,

what you (your auditors) could do, is to get (read: write, program) so-called "STREAMS-modules", push these onto the STREAMS used for the sessions in question and have a daemon running all the time, which gets the data from the STREAMS-modules.
The STREAMS modules would let everything pass through, up- and down-stream, but copy every character to another STREAM, where the daemon is connected to and reads everything from...

HTH,
Wodisch
0 Kudos
Reply
Rita C Workman
Honored Contributor

‎02-21-2002 12:39 PM

‎02-21-2002 12:39 PM

Re: capture excuted commands

Dont' know if this is something your looking for (as an option).
Recently, I was looking for a couple things..1. to disperse admin functions to users ( a little more tuned than sam -r)..
2. to be able to audit EVERYTHING/EVERY KEYSTROKE a certain user does on a 'as I want it basis-even when using vi' so I didn't have to turn on audit for everyone .

I could have scripted my head off...but I'm not Clay, JRF or Robin..and yes I am aware of ssh...but I wanted just a tad more control and options.
I finally settle on a third party software from Symark (Power Broker). It's a secure shell with some xtra's like FULL keyboard replay.
It costs...but what doesn't. It's either pay for in time spent scripting...or buy it.

Just a thought,
Rita

0 Kudos
Reply
Systeemingenieurs Infoc
Valued Contributor

‎02-22-2002 01:03 AM

‎02-22-2002 01:03 AM

Re: capture excuted commands

Wodisch,

Do you have more details/docs about how to get into the streams ?


Rita,

I peeked at the Symark-site. It is indeed a promessing product. I do have some questions :
- is it only root that can be 'traced'
- the delegation of root-'permissions', is it sudo-like ?
- can you give me an estimate of the purchase cost of the 'tracing module' (is it $1000 or $100.000)

hein coulier
A Life ? Cool ! Where can I download one of those from ?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.