LogAnalysis
[logs] CanSecWest 2008 CFP (deadline Nov 30,conf Mar 26-28) and PacSec Dojo's Nov 09 2007 04:24AM
Dragos Ruiu (dr kyx net) (1 replies)
[logs] How to log - commands and file access Nov 09 2007 08:25AM
david bigot devoteam com (7 replies)
Re: [logs] How to log - commands and file access Mar 03 2008 07:24AM
Cesare (tensi mclink it)
Re: [logs] How to log - commands and file access Nov 25 2007 12:48AM
Karl Vogel (vogelke pobox com)
RE: [logs] How to log - commands and file access Nov 12 2007 11:37PM
Kurt Buff (KBuff zetron com) (1 replies)
RE: [logs] How to log - commands and file access Nov 13 2007 10:01PM
David Corlette (dcorlette novell com) (1 replies)
Re: [logs] How to log - commands and file access Nov 13 2007 11:31PM
Matt Cuttler (mcuttler bnl gov)
Re: [logs] How to log - commands and file access Nov 12 2007 02:47PM
Mike Blomgren (mike blomgren tornado se) (1 replies)
Re: [logs] How to log - commands and file access Nov 12 2007 03:15PM
david bigot devoteam com (1 replies)
Hello,

Concerning BASH logging, I have found a bash "syslog version" :
Nov 9 18:24:04 linux -bash: history: [pid:3016 uid:0] cat
/etc/passwd

I have try SNARE Agent, it's very helpful. You can filter and log all
process activity, any file access, network access.... but require some CPU
charge...
Perhaps, someone have test this software ? Do you have some advices about
SNARE's configuration ?

Regards,
----------------------------------------------------------------------
David Bigot - Consultant sécurité
Apogée Communications - Groupe DEVOTEAM
86, rue Anatole France
92300 Levallois-Perret
téléphone: ()1.41.49.58.04
email: david.bigot (at) apogee-com (dot) fr [email concealed]

Mike Blomgren <mike.blomgren (at) tornado (dot) se [email concealed]>
12/11/2007 15:47

A
david.bigot (at) devoteam (dot) com [email concealed], loganalysis (at) loganalysis (dot) org [email concealed]
cc

Objet
Re: [logs] How to log - commands and file access

Hi,

To log all commands from bash I have used Bash-BOFH. Found here:
http://www.ccitt5.net/archives/

It patches the bash source to send all commands to a syslog. It works very
well, but unfortunately requires bash 2.05, and doesn't work for the
newer 3.0 AFAIK.

~Mike

david.bigot (at) devoteam (dot) com [email concealed] wrote:

Hello,

I want to known for a customer, how to log automatically on UNIX and Linux
system :
- all commands executed (in BASH, ZSH & co ...). I know but the file
~/.(ba)sh_history but I prefer a global file or through syslog.
- all file access by process and username in real-time (not static) or if
it's not possible, which process and username access to some files (or
directory) like /etc/shadow, /data/ ...

Regards,
----------------------------------------------------------------------
David Bigot - Consultant sécurité
Apogée Communications - Groupe DEVOTEAM
86, rue Anatole France
92300 Levallois-Perret
téléphone: ()1.41.49.58.04
email: david.bigot (at) apogee-com (dot) fr [email concealed]

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

<br><font size=2 face="sans-serif">Hello,</font>
<br>
<br><font size=2 face="sans-serif">Concerning BASH logging, I have found
a bash "syslog version" :</font>
<br><font size=2 face="sans-serif">        Nov
9 18:24:04 linux -bash: history: [pid:3016 uid:0] cat /etc/passwd</font>
<br>
<br><font size=2 face="sans-serif">I have try SNARE Agent, it's very helpful.
You can filter and log all process activity, any file access, network access....
but require some CPU charge...</font>
<br><font size=2 face="sans-serif">Perhaps, someone have test this software
? Do you have some advices about SNARE's configuration ?</font>
<br>
<br><font size=2 face="sans-serif">Regards,</font>
<br><font size=2 face="sans-serif">------------------------------------------------------
----------------<br>
David Bigot - Consultant sécurité<br>
Apogée Communications - Groupe DEVOTEAM<br>
86, rue Anatole France<br>
92300 Levallois-Perret<br>
téléphone: ()1.41.49.58.04<br>
email: david.bigot (at) apogee-com (dot) fr [email concealed]</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Mike Blomgren <mike.blomgren (at) tornado (dot) se [email concealed]></b>
</font>
<p><font size=1 face="sans-serif">12/11/2007 15:47</font>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">A</font></div>
<td><font size=1 face="sans-serif">david.bigot (at) devoteam (dot) com [email concealed], loganalysis (at) loganalysis (dot) org [email concealed]</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Objet</font></div>
<td><font size=1 face="sans-serif">Re: [logs] How to log - commands and
file access</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=3>Hi,<br>
<br>
To log all commands from bash I have used Bash-BOFH. Found here: </font><a href=http://www.ccitt5.net/archives/><font size=3 color=blue><u>http://www.ccitt5.net/archives/</u></font></a><font size=3><br>
<br>
It patches the bash source to send all commands to a syslog. It works very
well, but unfortunately requires bash 2.05, and doesn't work for  the
newer 3.0 AFAIK.<br>
<br>
~Mike<br>
<br>
</font><font size=3 color=blue><u><br>
</u></font><a href=mailto:david.bigot (at) devoteam (dot) com [email concealed]><font size=3 color=blue><u>david.bigot (at) devoteam (dot) com [email concealed]</u></font></a><font size=3>
wrote: </font>
<br><font size=2 face="sans-serif"><br>
Hello,<br>
<br>
I want to known for a customer, how to log automatically on UNIX and Linux
system :<br>
- all commands executed (in BASH, ZSH & co ...). I know but the file
~/.(ba)sh_history but I prefer a global file or through syslog.<br>
- all file access by process and username in real-time (not static) or
if it's not possible, which process and username access to some files (or
directory) like /etc/shadow, /data/ ...<br>
<br>
Regards,</font><font size=3> </font><font size=2 face="sans-serif"><br>
----------------------------------------------------------------------<b
r>
David Bigot - Consultant sécurité<br>
Apogée Communications - Groupe DEVOTEAM<br>
86, rue Anatole France<br>
92300 Levallois-Perret<br>
téléphone: ()1.41.49.58.04<br>
email: </font><a href="mailto:david.bigot (at) apogee-com (dot) fr [email concealed]"><font size=2 color=blue face="sans-serif"><u>david.bigot (at) apogee-com (dot) fr [email concealed]</u></font></a><font size=3>
</font>
<br><font size=3><tt><br>
</tt></font>
<hr><font size=3><tt><br>
_______________________________________________<br>
LogAnalysis mailing list<br>
</tt></font><a href=mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]><font size=3 color=blue><tt><u>LogAnalysis (at) loganalysis (dot) org [email concealed]</u></tt></font></a><font size=3><tt><br>
</tt></font><a href=http://www.loganalysis.org/mailman/listinfo/loganalysis><font size=3 color=blue><tt><u>http://www.loganalysis.org/mailman/listinfo/loganalysi
s</u></tt></font></a>
<br>
<br>_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] How to log - commands and file access Nov 13 2007 04:07AM
Anton Chuvakin (anton chuvakin org)
Re: [logs] How to log - commands and file access Nov 09 2007 08:09PM
Anton Chuvakin (anton chuvakin org) (2 replies)
Re: [logs] How to log - commands and file access Nov 10 2007 03:49PM
James B Horwath (Jim_Horwath glic com)
Re: [logs] How to log - commands and file access Nov 10 2007 02:21AM
James Turnbull (james lovedthanlost net)
Re: [logs] How to log - commands and file access Nov 09 2007 07:38PM
Vincent Bernat (bernat luffy cx)
Re: [logs] How to log - commands and file access Nov 09 2007 07:10PM
Stephen John Smoogen (smooge gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus