command execution alert

dddkiran · March 14, 2010, 7:06am

hi Guys!

My requirement is... I need to get notified if somebody executes a specific commands...like kill or httpd stop.... something like that....

can somebody help me out...

Regards,
kiran

jim_mcnamara · March 14, 2010, 8:28pm

If it is REALLY important, you can define an alias in /etc/profile
example using a protected directory

alias kill=/usr/local/bin/kill

/usr/local/bin/kill is a shell script:

echo "$USER just fired off: $@" | /usr/bin/mailx -s 'kill command issued' me@mycomputer.com
shift
/usr/bin/kill $@

Normally this kind of stuff is not necessary on a system where you have not granted excessive rights to ordinary users.
[/code]

ungalnanban · March 15, 2010, 1:44am

You can use the following way.

input_file.txt content "running the listing command (ls)"

alias ls='ls;mail user_name -s Subject <input_file.txt'

if you run the ls command then mail will send to the specified user.
using the above command you can give mail alert to the users.

dddkiran · March 15, 2010, 7:30am

thanks guys....it probably fulfill my requirement....

just to learn out of curiosity...what happens when i execute a command on shell prompt...will it log the command execution in any files??

---------- Post updated at 05:00 PM ---------- Previous update was at 04:28 PM ----------

the solution provided is very smart...but i need to monitor around 150 services spreed across 50 servers. it is very difficult for me to put a cron as per the services running on the servers.

Please help to get the better solution...

Nila · March 15, 2010, 7:36am

Try to see the .bash_history file in your home directory.

dddkiran · March 15, 2010, 11:11am

the issue with .bash_history,
1) improper exit from shell will not log command history in .bash_history file.
2) .bash_history file will be updated only after the user exits from the shell, if user runs the kill command or stooped any process, i will only know after he exits from the shell.....

correct me if i am wrong!!!...

bakunin · March 15, 2010, 4:33pm

You might be interested in commercial products like Tripwire.

Another possibility (in Linux, other UNIX dialects I'm not sure) is to use a PRELOAD-library replacing the system calls fork() and exec(). If these system calls would write to the syslog you could at least document any command issued in way not even root could modify (without raising an alarm). I have once seen this done but can't remember what the name of the library was.

I hope this helps.

bakunin

jim_mcnamara · March 15, 2010, 5:13pm

IMO, most of this type of monitoring is either for an advanced security trusted system, where it is usually built-in. Or, the case where users who should not have privilege, do have it. i.e., usually politics.

Some systems will not let LD_LIBRARY_PRELOAD work on executables:

     int setuid(uid_t uid)
     int setegid(gid_t egid)
     int seteuid(uid_t euid)
     int setgid(gid_t gid)

That change group or uid. FWIW.

bakunin · March 25, 2010, 8:45am

It took me a while to remember, but if finally managed to put my failing main memory to work:

The product i had in mind was called "snoopy" and should be downloadable via Sourceforge. I implemented it once in conjunction with syslog-ng (see freshmeat for a download) on RHEL4 and RHEL5 (i386 as well as x86_64), but failed to bring it to work on AIX.

I hope this helps.

bakunin