LogAnalysis
[logs] CanSecWest 2008 CFP (deadline Nov 30,conf Mar 26-28) and PacSec Dojo's Nov 09 2007 04:24AM
Dragos Ruiu (dr kyx net) (1 replies)
[logs] How to log - commands and file access Nov 09 2007 08:25AM
david bigot devoteam com (7 replies)
Re: [logs] How to log - commands and file access Mar 03 2008 07:24AM
Cesare (tensi mclink it)
Re: [logs] How to log - commands and file access Nov 25 2007 12:48AM
Karl Vogel (vogelke pobox com)
RE: [logs] How to log - commands and file access Nov 12 2007 11:37PM
Kurt Buff (KBuff zetron com) (1 replies)
RE: [logs] How to log - commands and file access Nov 13 2007 10:01PM
David Corlette (dcorlette novell com) (1 replies)
Re: [logs] How to log - commands and file access Nov 13 2007 11:31PM
Matt Cuttler (mcuttler bnl gov)
Re: [logs] How to log - commands and file access Nov 12 2007 02:47PM
Mike Blomgren (mike blomgren tornado se) (1 replies)
Re: [logs] How to log - commands and file access Nov 12 2007 03:15PM
david bigot devoteam com (1 replies)
Re: [logs] How to log - commands and file access Nov 13 2007 04:07AM
Anton Chuvakin (anton chuvakin org)
Re: [logs] How to log - commands and file access Nov 09 2007 08:09PM
Anton Chuvakin (anton chuvakin org) (2 replies)
Re: [logs] How to log - commands and file access Nov 10 2007 03:49PM
James B Horwath (Jim_Horwath glic com)
Most UNICES do a terrible job of command line logging. If the system does
log commands, it is very easy to circumvent unless you implement the audit
subsystem. Like Anton said, the audit subsystem produces large volumes of
data. Parsing audit data is tedious, resource hungry and error prone. In
the past I implemented a poor person's command logger in the /etc/profile
using:

#
# Log all commands executed on the
# system to syslog.
#
echo $- | /usr/bin/grep "i" > /dev/null 2>&1
if (( $? == 0 )); then
function dlog
{
typeset -i stat=$?
typeset x
x=$(fc -ln -0)
MY_TTY=`/usr/bin/tty | /usr/bin/sed 's/\/dev\///'`
MY_ID=`/usr/bin/who | /usr/bin/grep "${MY_TTY}" |
/usr/bin/awk '{print $1}'`
/usr/bin/logger -p daemon.notice -t "ksh euid: ${LOGNAME}
id: ${MY_ID} $$" Status ${stat} PWD ${PWD} TTY=`tty` \'${x# }\'
}
trap dlog DEBUG
fi

Although this works for the majority of cases, however there are problems:

- Users defining a large number of aliases experience a slow down in the
logon process
- WINScp didn't always work with the above
- Shell escapes are not logged
- Administrative interfaces like Smitty (AIX) do not log

NOTE: The AIX equivalent is auditbin.

Jim Horwath

"Anton Chuvakin" <anton (at) chuvakin (dot) org [email concealed]>
Sent by: loganalysis-bounces (at) loganalysis (dot) org [email concealed]
11/09/2007 03:09 PM

To
david.bigot (at) devoteam (dot) com [email concealed]
cc
loganalysis (at) loganalysis (dot) org [email concealed]
Subject
Re: [logs] How to log - commands and file access

> - all file access by process and username in real-time (not static) or
if
> it's not possible, which process and username access to some files (or
> directory) like /etc/shadow, /data/ ...

Unix binary audit is the answer to this one. Specifically,

- Solaris BSM audit
- HPUX Audit
- AIX <whatever they call it>

Be prepared to experience a flood of data. If you are doing it per
user, it will be much easier. Some allow (and some don't allow) it on
a per file/per directory basis, use it!

You can then centralize the resulting binary audit files into a log
management tool for reporting, analysis, searching, safekeeping, etc.

P.S. Since I just mentioned a log management tool, I need to please
Tina and say: I work for LogLogic that makes such tools.

Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.chuvakin.org
http://chuvakin.blogspot.com
http://www.info-secure.org
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

-----------------------------------------
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law. If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited. If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments. Thank you.
<br><font size=2 face="sans-serif">Most UNICES do a terrible job of command
line logging.  If the system does log commands, it is very easy to
circumvent unless you implement the audit subsystem.  Like Anton said,
the audit subsystem produces large volumes of data.  Parsing audit
data is tedious, resource hungry and error prone.  In the past I implemented
a poor person's command logger in the /etc/profile using:</font>
<br>
<br><font size=2 face="sans-serif">#</font>
<br><font size=2 face="sans-serif"># Log all commands executed on the</font>
<br><font size=2 face="sans-serif"># system to syslog.</font>
<br><font size=2 face="sans-serif">#</font>
<br><font size=2 face="sans-serif">echo $- | /usr/bin/grep "i"
 > /dev/null 2>&1</font>
<br><font size=2 face="sans-serif">if (( $? == 0 )); then</font>
<br><font size=2 face="sans-serif">       function
dlog</font>
<br><font size=2 face="sans-serif">       {</font>
<br><font size=2 face="sans-serif">           
   typeset -i stat=$?</font>
<br><font size=2 face="sans-serif">           
    typeset x</font>
<br><font size=2 face="sans-serif">           
    x=$(fc -ln -0)</font>
<br><font size=2 face="sans-serif">           
    MY_TTY=`/usr/bin/tty | /usr/bin/sed 's/\/dev\///'`</font>
<br><font size=2 face="sans-serif">           
    MY_ID=`/usr/bin/who | /usr/bin/grep "${MY_TTY}"
| /usr/bin/awk '{print $1}'`</font>
<br><font size=2 face="sans-serif">           
    /usr/bin/logger -p daemon.notice -t "ksh euid: ${LOGNAME}
id: ${MY_ID} $$" Status ${stat} PWD ${PWD} TTY=`tty` \'${x#  }\'</font>
<br><font size=2 face="sans-serif">        }</font>
<br><font size=2 face="sans-serif">        trap dlog
DEBUG</font>
<br><font size=2 face="sans-serif">fi<br>
</font>
<br><font size=2 face="sans-serif">Although this works for the majority
of cases, however there are problems:</font>
<br>
<br><font size=2 face="sans-serif">- Users defining a large number of aliases
experience a slow down in the logon process</font>
<br><font size=2 face="sans-serif">- WINScp didn't always work with the
above</font>
<br><font size=2 face="sans-serif">- Shell escapes are not logged</font>
<br><font size=2 face="sans-serif">- Administrative interfaces like  Smitty
(AIX) do not log<br>
</font>
<br>
<br><font size=2 face="sans-serif">NOTE: The AIX equivalent is auditbin.</font>
<br>
<br><font size=2 face="sans-serif">Jim Horwath<br>
<br>
<br>
</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=42%><font size=1 face="sans-serif"><b>"Anton Chuvakin"
<anton (at) chuvakin (dot) org [email concealed]></b></font><font size=1 face="sans-serif"> </font>
<br><font size=1 face="sans-serif">Sent by: loganalysis-bounces (at) loganalysis (dot) org [email concealed]</font>
<p><font size=1 face="sans-serif">11/09/2007 03:09 PM</font>
<p>
<p>
<td width=57%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1 face="sans-serif">david.bigot (at) devoteam (dot) com [email concealed]</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top><font size=1 face="sans-serif">loganalysis (at) loganalysis (dot) org [email concealed]</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">Re: [logs] How to log - commands
and file access</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt>>  - all file access by process and username
in real-time (not static) or if<br>
> it's not possible, which process and username access to some files
(or<br>
> directory) like /etc/shadow, /data/ ...<br>
<br>
Unix binary audit is the answer to this one. Specifically,<br>
<br>
- Solaris BSM audit<br>
- HPUX Audit<br>
- AIX <whatever they call it><br>
<br>
Be prepared to experience a flood of data. If you are doing it per<br>
user, it will be much easier. Some allow (and some don't allow) it on<br>
a per file/per directory basis, use it!<br>
<br>
You can then centralize the resulting binary audit files into a log<br>
management tool for reporting, analysis, searching, safekeeping, etc.<br>
<br>
P.S. Since I just mentioned a log management tool, I need to please<br>
Tina and say: I work for LogLogic that makes such tools.<br>
<br>
Best,<br>
-- <br>
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA<br>
     http://www.chuvakin.org<br>
 http://chuvakin.blogspot.com<br>
   http://www.info-secure.org<br>
_______________________________________________<br>
LogAnalysis mailing list<br>
LogAnalysis (at) loganalysis (dot) org [email concealed]<br>
http://www.loganalysis.org/mailman/listinfo/loganalysis<br>
</tt></font>
<br>
<P><hr size=1></P>
<P><STRONG>
This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
</STRONG></P>_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] How to log - commands and file access Nov 10 2007 02:21AM
James Turnbull (james lovedthanlost net)
Re: [logs] How to log - commands and file access Nov 09 2007 07:38PM
Vincent Bernat (bernat luffy cx)
Re: [logs] How to log - commands and file access Nov 09 2007 07:10PM
Stephen John Smoogen (smooge gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus