Re: Security - logging of user commands
On 7/25/12 6:15 PM, jb wrote: Damien Fleuriot ml at my.gd writes: ... From my syslog.conf: auth.info;authpriv.info /var/log/auth.log Yet I'm seeing not a trail in /var/log/auth.log , or messages, or even in secure ... # less /var/log/auth.log Feb 22 21:13:56 localhost newsyslog[1503]: logfile first created Feb 22 21:14:07 localhost login: login on ttyv0 as jb Feb 22 21:14:15 localhost su: jb to root on /dev/ttyv0 ... Jul 25 15:23:48 localhost su: jb to root on /dev/pts/3 Jul 25 17:25:05 localhost snoopy[50059]: [uid:0 sid:45449 tty:/dev/pts/2 cwd:/usr/ports/security/snoopy filename:/usr/bin/touch]: touch /etc/ld.so.preload Jul 25 17:25:05 localhost snoopy[50060]: [uid:0 sid:45449 tty:/dev/pts/2 cwd:/usr/ports/security/snoopy filename:/usr/bin/grep]: grep -c ^/usr/local/lib//snoopy.so /etc/ld.so.preload Jul 25 17:52:29 localhost snoopy[50145]: [uid:0 sid:46687 tty:/dev/pts/3 cwd:/usr/home/jb filename:/usr/bin/less]: less /var/log/auth.log Jul 25 17:54:03 localhost snoopy[50148]: [uid:0 sid:46687 tty:/dev/pts/3 cwd:/usr/home/jb filename:/usr/bin/touch]: touch test1 Jul 25 17:54:08 localhost snoopy[50149]: [uid:0 sid:46687 tty:/dev/pts/3 cwd:/usr/home/jb filename:/usr/bin/less]: less /var/log/auth.log [root@localhost /home/jb]# jb Well, after some digging I am sorry to report that security/snoopy/ is, imho, quite bugged on 8-STABLE and 9-STABLE alike. Let's take the example of logging the current working directory: Below is the statement from ./configure --help : Optional Features: [snip] --disable-cwd-logging disable logging of Current Working Directory [default=enabled] From config.h:66 /* Enable logging of Current Working Directory */ /* #undef SNOOPY_CWD_LOGGING */ From configure:4298 #define SNOOPY_CWD_LOGGING 1 From snoopy.c:127 /* Create logMessage */ #if defined(SNOOPY_CWD_LOGGING) Small edits to snoopy.c to check if current working directory logging is really enabled: --- snoopy.c.orig 2012-07-26 10:16:06.0 + +++ snoopy.c2012-07-26 10:18:05.0 + @@ -123,12 +123,18 @@ logString[logStringSize-1] = '\0'; +/* Check wether SNOOPY_CWD_LOGGING is _really_ defined or not */ +int cwdlog=0; +#if defined(SNOOPY_CWD_LOGGING) +cwdlog=1; +#endif + /* Create logMessage */ #if defined(SNOOPY_CWD_LOGGING) getCwdRet = getcwd(cwd, PATH_MAX+1); - sprintf(logMessage, [uid:%d sid:%d tty:%s cwd:%s filename:%s]: %s, getuid(), getsid(0), ttyPath, cwd, filename, logString); + sprintf(logMessage, [uid:%d sid:%d tty:%s cwd:%s filename:%s]: %s, getuid(), getsid(0), ttyPath, cwd, filename, logString); #else - sprintf(logMessage, [uid:%d sid:%d tty:%s filename:%s]: %s, getuid(), getsid(0), ttyPath, filename, logString); + sprintf(logMessage, cwdlog: %d - [uid:%d sid:%d tty:%s filename:%s]: %s, cwdlog, getuid(), getsid(0), ttyPath, filename, logString); #endif And the result: gmake snoopy.so setenv LD_PRELOAD /usr/ports/security/snoopy/work/snoopy-1.8.0/snoopy.so /etc/rc.d/named status Yields, amongst others: Jul 26 10:19:00 pf1 snoopy[96561]: cwdlog: 0 - [uid:0 sid:92850 tty:/dev/pts/0 filename:/bin/ps]: /bin/ps -ww -o pid= -o jid= -o command= -p 1073 Notice how cwdlog is set to 0 which means we don't want to log the CWD, although configure reports SNOOPY_CWD_LOGGING 1 I think that might not be the only bug, seeing only root actions seem to be logged although the default should be to log every user. I'd like to point out that apart from these edits for my tests this is a *vanilla* install of snoopy. Might anyone confirm the issue ? The above is true for 8.1-RELEASE, 8-STABLE , 9-STABLE with snoopy being at version 1.8.0 on all of them. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Security - logging of user commands
Damien Fleuriot ml at my.gd writes: ... Might anyone confirm the issue ? The above is true for 8.1-RELEASE, 8-STABLE , 9-STABLE with snoopy being at version 1.8.0 on all of them. $ uname -r 9.0-RELEASE-p3 $ man ldconfig ... Filenames must conform to the lib*.so.[0-9] pattern in order to be added to the hints file. ... FILES /var/run/ld.so.hints Standard hints file for the a.out dynamic linker. /var/run/ld-elf.so.hints Standard hints file for the ELF dynamic linker. /etc/ld.so.conf Conventional configuration file containing directory names for invocations with -aout. /etc/ld-elf.so.conf Conventional configuration file containing directory names for invocations with -elf. /var/run/ld-elf32.so.hints /var/run/ld32.so.hints Conventional configuration files containing directory names for invocations with -32. /etc/objformat Determines whether -aout or -elf is the default. If present, it must consist of a single line containing either `OBJFORMAT=aout' or `OBJFORMAT=elf'. ... $ # ls -al /usr/local/lib/libsnoopy.so* lrwxr-xr-x 1 root wheel14 Jul 26 20:43 /usr/local/lib/libsnoopy.so - libsnoopy.so.1 -r-xr-xr-x 1 root wheel 4824 Jul 26 20:07 /usr/local/lib/libsnoopy.so.1 $ grep ldconfig /etc/defaults/rc.conf ... ldconfig_paths=... /usr/local/lib ... ... # /etc/rc.d/ldconfig start ... ldconfig_start() ... for i in ${ldconfig_paths} /etc/ld-elf.so.conf; do if [ -r ${i} ]; then _LDC=${_LDC} ${i} fi done check_startmsgs echo 'ELF ldconfig path:' ${_LDC} ${ldconfig} -elf ${_ins} ${_LDC} ... $ ldconfig -r /var/run/ld-elf.so.hints: search directories: /lib:/usr/lib:/usr/lib/compat:/usr/local/lib:/usr/local/lib/event2:/usr/local /lib/gcc46:/usr/local/lib/graphviz:/usr/local/lib/libxul:/usr/local/lib/nss: /usr/local/lib/pth:/usr/local/lib/qt4 0:-lc.7 = /lib/libc.so.7 ... 465:-lsnoopy.1 = /usr/local/lib/libsnoopy.so.1 ... $ # man ldconfig ... # tail /var/log/auth.log ... Jul 26 22:12:38 localhost snoopy[5884]: [uid:0 sid:2957 tty:/dev/pts/2 cwd:/usr/local/lib filename:/sbin/sysctl]: /sbin/sysctl -n hw.machine_arch Jul 26 22:12:38 localhost snoopy[5885]: [uid:0 sid:2957 tty:/dev/pts/2 cwd:/usr/local/lib filename:/sbin/sysctl]: /sbin/sysctl -n hw.machine Jul 26 22:12:38 localhost snoopy[5886]: [uid:0 sid:2957 tty:/dev/pts/2 cwd:/usr/local/lib filename:/usr/bin/locale]: /usr/bin/locale Jul 26 22:12:38 localhost snoopy[5889]: [uid:0 sid:2957 tty: cwd:/usr/local/lib filename:/usr/bin/head]: head -1 Jul 26 22:12:38 localhost snoopy[5888]: [uid:0 sid:2957 tty:/dev/pts/2 cwd:/usr/local/lib filename:/usr/bin/zcat]: /usr/bin/zcat /usr/share/man/man8/ldconfig.8.gz Jul 26 22:12:38 localhost snoopy[5892]: [uid:0 sid:2957 tty: cwd:/usr/local/lib filename:/usr/bin/groff]: groff -S -P-h -Wall -mtty-char -man -Tascii -P-c Jul 26 22:12:38 localhost snoopy[5891]: [uid:0 sid:2957 tty: cwd:/usr/local/lib filename:/usr/bin/tbl]: tbl Jul 26 22:12:38 localhost snoopy[5890]: [uid:0 sid:2957 tty:/dev/pts/2 cwd:/usr/local/lib filename:/usr/bin/zcat]: /usr/bin/zcat /usr/share/man/man8/ldconfig.8.gz Jul 26 22:12:38 localhost snoopy[5893]: [uid:0 sid:2957 tty: cwd:/usr/local/lib filename:/usr/bin/more]: more # /etc/rc.d/named status Cannot 'status' named. Set named_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'. # tail /var/log/auth.log ... Jul 26 22:16:40 localhost snoopy[5917]: [uid:0 sid:2957 tty:/dev/pts/2 cwd:/usr/local/lib filename:/bin/ps]: /bin/ps -ww -p 5916 -o jid= Jul 26 22:16:40 localhost snoopy[5919]: [uid:0 sid:2957 tty:/dev/pts/2 cwd:/usr/local/lib filename:/bin/ps]: /bin/ps -ww -o pid= -o jid= -o command= -ax # jb ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org