Re: Security - logging of user commands
On 7/25/12 6:15 PM, jb wrote: Damien Fleuriot ml at my.gd writes: ... From my syslog.conf: auth.info;authpriv.info /var/log/auth.log Yet I'm seeing not a trail in /var/log/auth.log , or messages, or even in secure ... # less /var/log/auth.log Feb 22 21:13:56 localhost newsyslog[1503]: logfile first created Feb 22 21:14:07 localhost login: login on ttyv0 as jb Feb 22 21:14:15 localhost su: jb to root on /dev/ttyv0 ... Jul 25 15:23:48 localhost su: jb to root on /dev/pts/3 Jul 25 17:25:05 localhost snoopy[50059]: [uid:0 sid:45449 tty:/dev/pts/2 cwd:/usr/ports/security/snoopy filename:/usr/bin/touch]: touch /etc/ld.so.preload Jul 25 17:25:05 localhost snoopy[50060]: [uid:0 sid:45449 tty:/dev/pts/2 cwd:/usr/ports/security/snoopy filename:/usr/bin/grep]: grep -c ^/usr/local/lib//snoopy.so /etc/ld.so.preload Jul 25 17:52:29 localhost snoopy[50145]: [uid:0 sid:46687 tty:/dev/pts/3 cwd:/usr/home/jb filename:/usr/bin/less]: less /var/log/auth.log Jul 25 17:54:03 localhost snoopy[50148]: [uid:0 sid:46687 tty:/dev/pts/3 cwd:/usr/home/jb filename:/usr/bin/touch]: touch test1 Jul 25 17:54:08 localhost snoopy[50149]: [uid:0 sid:46687 tty:/dev/pts/3 cwd:/usr/home/jb filename:/usr/bin/less]: less /var/log/auth.log [root@localhost /home/jb]# jb Well, after some digging I am sorry to report that security/snoopy/ is, imho, quite bugged on 8-STABLE and 9-STABLE alike. Let's take the example of logging the current working directory: Below is the statement from ./configure --help : Optional Features: [snip] --disable-cwd-logging disable logging of Current Working Directory [default=enabled] From config.h:66 /* Enable logging of Current Working Directory */ /* #undef SNOOPY_CWD_LOGGING */ From configure:4298 #define SNOOPY_CWD_LOGGING 1 From snoopy.c:127 /* Create logMessage */ #if defined(SNOOPY_CWD_LOGGING) Small edits to snoopy.c to check if current working directory logging is really enabled: --- snoopy.c.orig 2012-07-26 10:16:06.0 + +++ snoopy.c2012-07-26 10:18:05.0 + @@ -123,12 +123,18 @@ logString[logStringSize-1] = '\0'; +/* Check wether SNOOPY_CWD_LOGGING is _really_ defined or not */ +int cwdlog=0; +#if defined(SNOOPY_CWD_LOGGING) +cwdlog=1; +#endif + /* Create logMessage */ #if defined(SNOOPY_CWD_LOGGING) getCwdRet = getcwd(cwd, PATH_MAX+1); - sprintf(logMessage, [uid:%d sid:%d tty:%s cwd:%s filename:%s]: %s, getuid(), getsid(0), ttyPath, cwd, filename, logString); + sprintf(logMessage, [uid:%d sid:%d tty:%s cwd:%s filename:%s]: %s, getuid(), getsid(0), ttyPath, cwd, filename, logString); #else - sprintf(logMessage, [uid:%d sid:%d tty:%s filename:%s]: %s, getuid(), getsid(0), ttyPath, filename, logString); + sprintf(logMessage, cwdlog: %d - [uid:%d sid:%d tty:%s filename:%s]: %s, cwdlog, getuid(), getsid(0), ttyPath, filename, logString); #endif And the result: gmake snoopy.so setenv LD_PRELOAD /usr/ports/security/snoopy/work/snoopy-1.8.0/snoopy.so /etc/rc.d/named status Yields, amongst others: Jul 26 10:19:00 pf1 snoopy[96561]: cwdlog: 0 - [uid:0 sid:92850 tty:/dev/pts/0 filename:/bin/ps]: /bin/ps -ww -o pid= -o jid= -o command= -p 1073 Notice how cwdlog is set to 0 which means we don't want to log the CWD, although configure reports SNOOPY_CWD_LOGGING 1 I think that might not be the only bug, seeing only root actions seem to be logged although the default should be to log every user. I'd like to point out that apart from these edits for my tests this is a *vanilla* install of snoopy. Might anyone confirm the issue ? The above is true for 8.1-RELEASE, 8-STABLE , 9-STABLE with snoopy being at version 1.8.0 on all of them. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Security - logging of user commands
Damien Fleuriot ml at my.gd writes:
...
Might anyone confirm the issue ?
The above is true for 8.1-RELEASE, 8-STABLE , 9-STABLE with snoopy being
at version 1.8.0 on all of them.
$ uname -r
9.0-RELEASE-p3
$ man ldconfig
...
Filenames must conform to the lib*.so.[0-9] pattern in order to
be added to the hints file.
...
FILES
/var/run/ld.so.hints Standard hints file for the a.out dynamic
linker.
/var/run/ld-elf.so.hints Standard hints file for the ELF dynamic
linker.
/etc/ld.so.conf Conventional configuration file containing
directory names for invocations with -aout.
/etc/ld-elf.so.conf Conventional configuration file containing
directory names for invocations with -elf.
/var/run/ld-elf32.so.hints
/var/run/ld32.so.hints Conventional configuration files containing
directory names for invocations with -32.
/etc/objformat Determines whether -aout or -elf is the
default. If present, it must consist of a
single line containing either
`OBJFORMAT=aout' or `OBJFORMAT=elf'.
...
$
# ls -al /usr/local/lib/libsnoopy.so*
lrwxr-xr-x 1 root wheel14 Jul 26 20:43 /usr/local/lib/libsnoopy.so -
libsnoopy.so.1
-r-xr-xr-x 1 root wheel 4824 Jul 26 20:07 /usr/local/lib/libsnoopy.so.1
$ grep ldconfig /etc/defaults/rc.conf
...
ldconfig_paths=... /usr/local/lib ...
...
# /etc/rc.d/ldconfig start
...
ldconfig_start()
...
for i in ${ldconfig_paths} /etc/ld-elf.so.conf; do
if [ -r ${i} ]; then
_LDC=${_LDC} ${i}
fi
done
check_startmsgs echo 'ELF ldconfig path:' ${_LDC}
${ldconfig} -elf ${_ins} ${_LDC}
...
$ ldconfig -r
/var/run/ld-elf.so.hints:
search directories:
/lib:/usr/lib:/usr/lib/compat:/usr/local/lib:/usr/local/lib/event2:/usr/local
/lib/gcc46:/usr/local/lib/graphviz:/usr/local/lib/libxul:/usr/local/lib/nss:
/usr/local/lib/pth:/usr/local/lib/qt4
0:-lc.7 = /lib/libc.so.7
...
465:-lsnoopy.1 = /usr/local/lib/libsnoopy.so.1
...
$
# man ldconfig
...
# tail /var/log/auth.log
...
Jul 26 22:12:38 localhost snoopy[5884]: [uid:0 sid:2957 tty:/dev/pts/2
cwd:/usr/local/lib filename:/sbin/sysctl]: /sbin/sysctl -n hw.machine_arch
Jul 26 22:12:38 localhost snoopy[5885]: [uid:0 sid:2957 tty:/dev/pts/2
cwd:/usr/local/lib filename:/sbin/sysctl]: /sbin/sysctl -n hw.machine
Jul 26 22:12:38 localhost snoopy[5886]: [uid:0 sid:2957 tty:/dev/pts/2
cwd:/usr/local/lib filename:/usr/bin/locale]: /usr/bin/locale
Jul 26 22:12:38 localhost snoopy[5889]: [uid:0 sid:2957 tty: cwd:/usr/local/lib
filename:/usr/bin/head]: head -1
Jul 26 22:12:38 localhost snoopy[5888]: [uid:0 sid:2957 tty:/dev/pts/2
cwd:/usr/local/lib filename:/usr/bin/zcat]: /usr/bin/zcat
/usr/share/man/man8/ldconfig.8.gz
Jul 26 22:12:38 localhost snoopy[5892]: [uid:0 sid:2957 tty: cwd:/usr/local/lib
filename:/usr/bin/groff]: groff -S -P-h -Wall -mtty-char -man -Tascii -P-c
Jul 26 22:12:38 localhost snoopy[5891]: [uid:0 sid:2957 tty: cwd:/usr/local/lib
filename:/usr/bin/tbl]: tbl
Jul 26 22:12:38 localhost snoopy[5890]: [uid:0 sid:2957 tty:/dev/pts/2
cwd:/usr/local/lib filename:/usr/bin/zcat]: /usr/bin/zcat
/usr/share/man/man8/ldconfig.8.gz
Jul 26 22:12:38 localhost snoopy[5893]: [uid:0 sid:2957 tty: cwd:/usr/local/lib
filename:/usr/bin/more]: more
# /etc/rc.d/named status
Cannot 'status' named. Set named_enable to YES in /etc/rc.conf or use
'onestatus' instead of 'status'.
# tail /var/log/auth.log
...
Jul 26 22:16:40 localhost snoopy[5917]: [uid:0 sid:2957 tty:/dev/pts/2
cwd:/usr/local/lib filename:/bin/ps]: /bin/ps -ww -p 5916 -o jid=
Jul 26 22:16:40 localhost snoopy[5919]: [uid:0 sid:2957 tty:/dev/pts/2
cwd:/usr/local/lib filename:/bin/ps]: /bin/ps -ww -o pid= -o jid= -o command=
-ax
#
jb
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
