On Thu, Jan 25, 2007 at 09:49:03PM -0500, Jalex wrote: > I don't think writing a 'script' to monitor anything at all for that > purpose, is going to be ingenius enough to really matter. > > You can circumvent the login passing an arg to ssh (avoids recording to > 'who' and 'last'): > $ ssh [EMAIL PROTECTED] bash
Sorry, I guess I wasn't clear at start of the message. The script is reading Solaris BSM (auditing) logs. You cannot circumvent it by doing 'ssh host sh'. > 1. Wrapping shells has limited capabilities and there are a ton of ways > to work around any controls in place. > a. Someone installs their own version of a shell binary > b.ssh tunneling that opens a port where a custom-written client > sits waiting to echo any commands sent to it from a remote host through > the tunnel. Always found running a shell or other arbitrary commands from within vi or Perl (both usually available from a restricted shell), the easy way out. But it doesn't matter when using BSM. > 2. Solaris has audit features but that could get a little chatty if you > log every available command. I would use it to track any basic commands > like mv, cp , rm, scp, sftp, unlink. This is exactly what I am doing. > Crist J. Clark wrote: > >I am trying to write a script that does the following: > > > > 1) Finds all root logins and su's to root. > > 2) Tracks all commands run after that login. > > 3) Associates each command with its login. > > > >Sounds easy, huh? Devil's in the details. > > > >Current method of attack is to find all of the su's and logins, > >and save the session ID. Then I can go through and pick out the > >'exec' events with that session ID and run as root. My old > >method was to follow all of the forks from a login. It was not > >pretty, but seemed to work most of the time. I thought following > >session IDs would be more robust and less error prone. > > > >But I have a audit trail here that is confounding my best > >efforts. What we have is a "forced" SSH command. There are a > >few problems with the trail. First, it looks like it starts > >forking children before the login. Second, the login has a > >different session ID than its children. I'm a bit confused > >about what is going on here. Here's the audit trail. It's in > >XML format. I find that easier to read with the labels. > > > >What's killing me is that the login (the 'login - ssh' event) > >has a different session ID that its children (the 'exec(2)' > >of 'ksh -c /etc/security/sox_baseline'). Bug? Feature? Do I > >need to revert to my old method? This is Solaris 9 using > >the Sun SSH daemon. > > > > > ><?xml version='1.0' encoding='UTF-8' ?> > ><?xml-stylesheet type='text/xsl' > >href='file:///usr/share/lib/xml/style/adt_record.xsl.1' ?> > > > ><!DOCTYPE audit PUBLIC '-//Sun Microsystems, Inc.//DTD Audit V1//EN' > >'file:///usr/share/lib/xml/dtd/adt_record.dtd.1'> > > > ><audit> > ><file time="Thu Jan 11 10:46:19 PST 2007" msec="0"></file> > ><record version="2" event="vfork(2)" time="Thu Jan 11 10:46:19 PST 2007" > >msec="731"> > ><argument arg-num="0" value="0x5e02" desc="child PID"/> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" > >msec="732"> > ><path>/usr/bin/sh</path> > ><attribute mode="100555" uid="root" gid="root" fsid="136" nodeid="8469" > >device="0"/> > ><exec_args><arg>sh</arg><arg>-c</arg><arg>/usr/bin/locale -a > ></arg></exec_args> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="fork(2)" time="Thu Jan 11 10:46:19 PST 2007" > >msec="741"> > ><argument arg-num="0" value="0x5e03" desc="child PID"/> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="execve(2)" time="Thu Jan 11 10:46:19 PST 2007" > >msec="764"> > ><path>/usr/bin/locale</path> > ><attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="347411" > >device="0"/> > ><exec_args><arg>/usr/bin/locale</arg><arg>-a > ></arg></exec_args> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" > >msec="800"> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24067" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="exit(2)" time="Thu Jan 11 10:46:19 PST 2007" > >msec="801"> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24066" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" > >msec="548"> > ><argument arg-num="0" value="0x5e04" desc="child PID"/> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="auditon(2) - get audit state" time="Thu Jan 11 > >10:46:21 PST 2007" msec="557"> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="getaudit_addr(2)" time="Thu Jan 11 10:46:21 PST > >2007" msec="557"> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="auditon(2) - get audit policy flags" time="Thu > >Jan 11 10:46:21 PST 2007" msec="557"> > ><subject audit-uid="root" uid="root" gid="root" ruid="root" rgid="root" > >pid="24065" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="login - ssh" time="Thu Jan 11 10:46:21 PST > >2007" msec="568"> > ><subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" > >pid="24065" sid="3603920788" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="fork(2)" time="Thu Jan 11 10:46:21 PST 2007" > >msec="583"> > ><argument arg-num="0" value="0x5e05" desc="child PID"/> > ><subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" > >pid="24068" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" > >msec="598"> > ><path>/usr/bin/ksh</path> > ><attribute mode="100555" uid="root" gid="bin" fsid="136" nodeid="42497" > >device="0"/> > ><exec_args><arg>ksh</arg><arg>-c</arg><arg>/etc/security/sox_baseline > ></arg></exec_args> > ><subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" > >pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> > ><record version="2" event="execve(2)" time="Thu Jan 11 10:46:21 PST 2007" > >msec="614"> > ><path>/etc/security/sox_baseline</path> > ><attribute mode="100755" uid="root" gid="other" fsid="136" nodeid="64371" > >device="0"/> > ><exec_args><arg>/bin/sh</arg><arg>/etc/security/sox_baseline > ></arg></exec_args> > ><subject audit-uid="root" uid="root" gid="other" ruid="root" rgid="other" > >pid="24069" sid="3539585011" tid="11953 196630 spa.example.com"/> > ><return errval="success" retval="0"/> > ></record> -- Crist J. Clark | [EMAIL PROTECTED]
