You can also evade this by running commands from within another program such as vi or by using the perl or python interpreter. Process accounting will record the commands that were executed but not any of the arguments. Hooking they exec system call might be a nice way to capture activity. Just some thoughts.
Cheers, Jim On 22 November 2011 22:20, Champ Clark III [Quadrant] < [email protected]> wrote: > Pretty cool. However, with the built in bash syslog of history, there's > no way to evade and not scripting required. Of course, If you aren't > using bash, then it really doesn't matter. > > Another point, when I do it with the built in bash syslog of history, I > make sure I don't have any other shell's installed. It's be trivial to > evade if the user just runs ash/ksh/csh/tcsh :) > > On Nov 22, 2011, at 2:01 PM, Nils wrote: > > Thanks for your valuable feedback! > I got an other neat approach off-list which I want to share with you: > > [Quote] > The step we use to pass that PCI requirement for linux is to put the > following inside of /etc/profile > PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo $$ $USER > "$(history 1)" | logger -p local2.info -t "shell_history"' > logger being the transport to syslog/syslog-ng/rsyslog. > There are some sly tricks to evade it, but this will pass their > requirement. Just make sure the syslogging facility you use is sending and > logging it on a separate machine. > I prefer rsyslog. > [\Quote] > > Cheers, > Nils > > Am 21.11.2011 17:03, schrieb Nils: > > Hi guys, > I´m looking into solutions to comply with PCI DSS requirement 10.2.2: > (Logging: All actions taken by any individual with root or administrative > privileges) especially on Linux systems. > Therefore I´ve checked for ways to provide a shell which is logging all > actions taken. > I stumbled upon stuff like: > mkfifo myfifo; logger -f myfifo & script -f myfifo > rootsh > sudoshell (ss) > > What are your experiences in this realm? > Best solution would be something done with on-board means or a provided > package of the Linux distribution, in this case Debian. > > > Thanks! > Nils > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > > Champ Clark III > (office) 904.253.7856 > (mobile) 850.443.2440 > (SOC) 800.538.9357 ext 101 > [email protected] > www.quadrantsec.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
<<quadrant.png>>
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
