Just for fun: Thought of this for a quick solution but would/could be defeated easily.
mkdir ~/.scripts echo 'script -q .scripts/$USER-`date +'%y-%m-%d_%M%S'`' >> ~/.profile or ~/.bash_profile and/or to ~./bashrc Script spawns a subshell so they could just issue 'exit' or 'logout' and get back to the parent shell. For that: alias exit='exit;exit' and alias logout='exit;exit' Probably have to do the same for ^D not sure how you would do that, you may be able to set two control sequences with stty. You could probably set traps on the subshell so they can't use various control characters. On Tue, Nov 22, 2011 at 6:26 PM, Jim Halfpenny <[email protected]>wrote: > You can also evade this by running commands from within another program > such as vi or by using the perl or python interpreter. Process accounting > will record the commands that were executed but not any of the arguments. > Hooking they exec system call might be a nice way to capture activity. Just > some thoughts. > > Cheers, > Jim > > > On 22 November 2011 22:20, Champ Clark III [Quadrant] < > [email protected]> wrote: > >> Pretty cool. However, with the built in bash syslog of history, >> there's no way to evade and not scripting required. Of course, If you >> aren't using bash, then it really doesn't matter. >> >> Another point, when I do it with the built in bash syslog of history, I >> make sure I don't have any other shell's installed. It's be trivial to >> evade if the user just runs ash/ksh/csh/tcsh :) >> >> On Nov 22, 2011, at 2:01 PM, Nils wrote: >> >> Thanks for your valuable feedback! >> I got an other neat approach off-list which I want to share with you: >> >> [Quote] >> The step we use to pass that PCI requirement for linux is to put the >> following inside of /etc/profile >> PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'echo $$ $USER >> "$(history 1)" | logger -p local2.info -t "shell_history"' >> logger being the transport to syslog/syslog-ng/rsyslog. >> There are some sly tricks to evade it, but this will pass their >> requirement. Just make sure the syslogging facility you use is sending and >> logging it on a separate machine. >> I prefer rsyslog. >> [\Quote] >> >> Cheers, >> Nils >> >> Am 21.11.2011 17:03, schrieb Nils: >> >> Hi guys, >> I´m looking into solutions to comply with PCI DSS requirement 10.2.2: >> (Logging: All actions taken by any individual with root or administrative >> privileges) especially on Linux systems. >> Therefore I´ve checked for ways to provide a shell which is logging all >> actions taken. >> I stumbled upon stuff like: >> mkfifo myfifo; logger -f myfifo & script -f myfifo >> rootsh >> sudoshell (ss) >> >> What are your experiences in this realm? >> Best solution would be something done with on-board means or a provided >> package of the Linux distribution, in this case Debian. >> >> >> Thanks! >> Nils >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> >> >> >> Champ Clark III >> (office) 904.253.7856 >> (mobile) 850.443.2440 >> (SOC) 800.538.9357 ext 101 >> [email protected] >> www.quadrantsec.com >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- - Jon -- ------------------------------------------------------------------ VMB: 812-682-0231 Dubois County Linux User Group - http://www.dclinux.org Southern Indiana Computer Klub - http://sickbits.networklabs.org Bloomington FOOLS - http://www.bloomingtonfools.org/ BloomingLabs - http://www.bloominglabs.org ISSA-Kentuckiana - http://issa-kentuckiana.org GPG Key ID: 810903CB Key fingerprint = 0069 ED69 EABB DF84 5983 AD3C 6C20 BEFD 8109 03CB
<<quadrant.png>>
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
