Linux History Security Issue "save records Prevent deletion" + Perfect Linux/unix audit log each shell command

2011-09-27 22:11:51| Category: rhel5_033| Report | Font size Subscription

Linux uses Prompt_command to realize audit function

This system audits, records what the user, at what time, did what operation. The information is then recorded in a file.

I. Configuration

1. At the end of the/etc/profile file, add the following 2 lines of code:

Export history_file=/var/log/' date ' +%y%m '. log

Export prompt_command= ' {date ' +%y-%m-%d%T ##### $ (Who am I |awk "{print \$1\" \ "\$2\" \ "\$5}") # # # # (History 1 | {read x cmd; echo "$cmd";}) ";} >> $HISTORY _file '

Add complete save to exit. Any action commands will be seen in the/var/log/date. Log. You can also define your own directory or file. Let others not find only allow themselves to see. Only need to modify

Export history_file=/var/log/' date ' +%y%m '. Log this record can be

/etc/profile: This file sets the environment information for each user of the system, and the file is executed the first time the user logs on. and collects the shell settings from the configuration file of the/ETC/PROFILE.D directory.

[ email protected] ~]#/etc/profile or [[email protected] ~] #source/etc/profile

Make the change effective, if there is no error stating the success.

Verify that there is data in the log

[Email protected] ~]# More/var/log/201107.log

2011-07-21 17:29:08 ##### Root PTS/2 (192.168.23.250) # # # # # # # /etc/profile

You can see that there's already data inside.

You can also use

Prompt_command= ' {date ' +%y-%m-%d%T ##### USER: $USER IP: $SSH _client PS: $SSH _tty # # (History 1 | {read x cmd; echo "$cmd";}) ";} >> $HISTORY _file '

The command is different but the result is the same.

Editor's note: Preserving the execution history of shell commands is a useful technique to ensure server security. However, although the shell has historical functions, this feature is not designed for auditing purposes and is therefore easily tampered with or lost by the user. The steps described in this article can help you to log each shell command (you can read this article and Bash history logging attack and defend it to see how the two sides ' ideas differ). This author, David Douthitt, is an experienced UNIX and Linux system administrator who has worked on the Linux distribution package, as well as the "advanced Topics in System administration" and the GNU screen: A comprehensive Manual the author of two books. The following is the text:

Logging each shell command executed by a user is more difficult than originally imagined. The Shell's historical function was originally designed to help users use previously used commands. We all know this application: you just typed a long field, but misspelled a character. The history of the shell allows you to correct this one character without having to enter all the remaining characters.

However, Shell history is difficult to meet the purpose of auditing. In other words, it is not designed to ensure system security.

The problem is especially difficult for bash shells, because the shell is designed to simplify life for the user wherever possible-so it has all the "fancy features" (bells and whistles). You must take into account all of these features and prevent changes to the history files.

The Korn shell is relatively simple, making it easier to protect the shell's history.

If you want to keep the history of these shells in strict custody, you need to perform a series of steps.

First, lock the shell's history file itself. change its properties to add only chattr +a. sh_history or chattr +a. Bash_history at the end. This makes it impossible to delete or change the data in the file, even if the user cannot change the attribute--only the root user can change it.

second, make sure that the historical variables are set reasonably and cannot be changed. These historical variables include the most important histfile, Histcommand, and Histignore. To do this, use the shell's typeset command with the-r option, which allows the specified variable to have a read-only property. A good practice is to make all historical environment variables read-only, such as:

Export histcontrol=  export histfile= $HOME/.bash_history export  histfilesize=2000 export  histignore=  Export histsize=1000  export histtimeformat= "%a%b%Y%T%z"  typeset-r histcontrol  typeset-r histfile< C8/>typeset-r histfilesize  typeset-r histignore  typeset-r histsize  typeset-r Histtimeformat

Histtimeformat is an extension of the bash shell that will provide timestamps in the history file.

For bash shell, you need to change some of the standard options for history:

Shopt-s cmdhist #Set cmdhist to put multiple lines of commands into a single history line shopt-s histappend #Set histappend will ensure that it is added to the history file, instead of overwriting the history file as usual.

Also for bash shell, set Prompt_command:

Prompt_command= "History-a"  typeset-r Prompt_command

This is because the bash shell actually writes history to memory, and the history file is updated only at the end of the shell session. This command attaches the previous command to a history file on disk.

Finally, Create a sigdebug trap , the command is sent to the system log (syslog). VMware's ESXi has this capability with its own version of the ash shell. In short, you should create a function that logs the current command into a log (obtained from a history file) and then sends it to the system log with the Logger command. This step is applicable in both the bash shell and the Korn shell.

These steps are a bit verbose, but there are new features in bash and ksh that make it all the more easy. GNU Bash added the ability to log into the system in version 4.1, which was activated only when the shell was compiled.

The Korn shell has been audited since the launch of ksh93. Like Bash 4.1, user auditing is a compile-time feature. To see if the ksh93 version you're using has an audit feature installed, you can execute one of the following commands:

Echo ${.sh.version}  echo $KSH _version

In Ubuntu 10.10, I got this output from ksh93:

# echo ${.sh.version}  version JM 93t+ 2009-05-01

If the audit function is turned on, the feature string (JM) will also have the letter a (turn on auditing) and possibly the letter L (Turn on auditing for the user). The IBM DeveloperWorks and musings of an OS Plumber have published excellent articles on Korn shell audits.

The Bash shell is also less likely to contain auditing capabilities. Bash on Ubuntu 10.10 is the 4.1.5 (1) version.

For users who are still using C shell (and especially Tsch), TCSH has a variant named "TCSH-BOFH", which supports logging into the system log. Unfortunately, TCSH-BOFH has not been maintained for a long time. As early as January 2010, TCSH-BOFH's FreeBSD port was removed from the FreeBSD port tree.

This information can also be obtained outside the shell. For example, there are two commands: Lastcomm (from the Acct package in Ubuntu main repositories) and Auditctl (AUDITD package from the Ubuntu Universe Software warehouse). In addition, Linux Journal published a Good article on the Linux process statistics in 2002. There are also two packages, rootsh and Snoopylogger, except that both are not in the Ubuntu software repository. Rootsh is like a typescript version, and Snoopylogger is a system library that you can add to your user environment. (Many of these methods come from a question raised on serverfault.com, please refer to this post .) ）

Linux History Security Issue "save records Prevent deletion" + Perfect Linux/unix audit log each shell command