Log all the commands input by user at real time in /var/log/messages

invinzin21 · January 17, 2017, 9:32am

Below is my script to log all the command input by any user to /var/log/messages. But I cant achieve the desired output that i want. PLease see below.


function log2syslog
{
   declare COMMAND
   COMMAND=$(fc -ln -0)
   logger -p local1.notice -t bash -i -- "$USER:$COMMAND"
}
trap log2syslog DEBUG

Desired Output:

Jan 13 17:09:05 SERVER1 bash[727]: user1: ls -l
Jan 13 17:09:05 SERVER1 bash[731]: user1:  hostname
Jan 13 17:09:05 SERVER1 bash[735]: user5: uname -a
Jan 13 17:09:05 SERVER1 bash[739]: user2: clear

RudiC · January 17, 2017, 10:02am

WHAT's going wrong? You might want to use logger line by line.

invinzin21 · January 17, 2017, 10:36am

Hi RudiC,
This the output that i have. EMPTY

Jan 17 14:51:12 SERVER1 bash[143477]: root:#011 
Jan 17 14:51:28 SERVER1 bash[143480]: root:#011 
Jan 17 14:51:28 SERVER1 bash[143483]: root:#011 
Jan 17 14:51:28 SERVER1 bash[143486]: root:#011 
Jan 17 14:51:28 SERVER1 bash[143489]: root:#011

---------- Post updated at 11:36 PM ---------- Previous update was at 11:05 PM ----------

This is the current output that i have..

Jan 17 15:32:34 SERVER1 bash[146147]: user1 as root:
Jan 17 15:32:34 SERVER1 bash[146151]: user1 as root:
Jan 17 15:32:34 SERVER1 bash[146155]: user1 as root:
Jan 17 15:32:34 SERVER1 bash[146159]: user1 as root:
Jan 17 15:32:34 SERVER1 bash[146163]: user1 as root:
Jan 17 15:32:34 SERVER1 bash[146189]: user1 as root:#011 exit
Jan 17 15:32:37 SERVER1 bash[146193]: user1 as root:#011 exit
Jan 17 15:32:37 SERVER1 bash[146198]: user1 as root:#011 exit
Jan 17 15:32:43 SERVER1 bash[146210]: user1 as root:#011 hostname
Jan 17 15:32:43 SERVER1 bash[146215]: user1 as root:#011 hostname
Jan 17 15:32:49 SERVER1 bash[146422]: user1 as root:#011 uname -a
Jan 17 15:32:49 SERVER1 bash[146426]: user1 as root:#011 uname -a

My New source code

function log2syslog
{
        declare COMMAND
        declare LOGUSER
        COMMAND=$(fc -ln -0)
        LOGUSER=$(logname)
        logger -p local0.notice -t bash -i -- "${LOGUSER} as ${USER}:${COMMAND}"
}
trap log2syslog DEBUG

Peasant · January 17, 2017, 12:27pm

How about using builtin audit software from your operating system.

Audit configuration can look scary at first, but it's mostly a one time setup per requirement.

Writing custom scripts will only make things difficult in the future.
Not to mention bypassing such scripts could be trivial, beating the audit purpose completely.

Hope that helps
Regards
Peasant.

invinzin21 · January 17, 2017, 12:32pm

So it will throw the output below in /var/log/audit/audit.log? I beleive I have tried this before.
THanks

Jan 13 17:09:05 SERVER1 bash[727]: user1: ls -l
Jan 13 17:09:05 SERVER1 bash[731]: user1:  hostname
Jan 13 17:09:05 SERVER1 bash[735]: user5: uname -a
Jan 13 17:09:05 SERVER1 bash[739]: user2: clear

Corona688 · January 17, 2017, 12:54pm

What's your system?

invinzin21 · January 18, 2017, 12:26pm

RHEL6 sir

---------- Post updated 01-19-17 at 01:26 AM ---------- Previous update was 01-18-17 at 03:18 AM ----------

Any feedback sir?
Thanks

Corona688 · January 18, 2017, 1:05pm

Please don't bump posts.

What user are you attempting to audit? If it's root, one cheap way to do audit is to not give them direct root access and let them do everything through sudo. Every time they call sudo that will be logged.

invinzin21 · January 18, 2017, 1:08pm

example we have an activity. i just want to do a tail -f /var/log/messages and i can see what is going on.. I have able to achieve it but not 100%.. Tried a lot of ways but to no avail its not that i am expeting of.

function log2syslog
{
    logger -p local1.notice -t bash -i -- "$(logname): $BASH_COMMAND"
}

trap log2syslog DEBUG

Corona688 · January 18, 2017, 1:52pm

"example we have an activity" isn't really helpful...

Any and all in-shell ways to do this can be trivially circumvented.

Doing this properly may mean changing the way you do things, not just slapping code onto your existing system.

invinzin21 · January 18, 2017, 3:56pm

I just want to have the output like below.

Jan 13 17:09:05 SERVER1 bash[727]: user1: vi /etc/httpd/conf.d/httpd.conf
Jan 13 17:09:05 SERVER1 bash[731]: user1:  service httpd restart
Jan 13 17:09:05 SERVER1 bash[735]: user5: tail -f /var/log/messages
Jan 13 17:09:05 SERVER1 bash[739]: user2: sudo su -

Corona688 · January 18, 2017, 4:20pm

Well, RHEL6 supports auditing, I wasn't sure it did. Look here:

Chapter 7. System Auditing

invinzin21 · January 18, 2017, 8:55pm

NOted. Thank you. will try to review it.
Thanks