Bash history to a remote syslog

Posted November 2, 2007
Filed under: Tecnología |

Going for a while to the technical world, I made this changes on the testing environment to log every shell command in a remote syslog server:

First I change the configuration in our log server:

double:/# diff -pu /etc/default/syslogd.20071101 /etc/default/syslogd
— /etc/default/syslogd.20071101 2007-11-02 01:32:39.000000000 -0500
+++ /etc/default/syslogd 2007-11-02 01:32:49.000000000 -0500
@@ -10,4 +10,4 @@
#
# For remote UDP logging use SYSLOGD=”-r”
#
-SYSLOGD=”"
+SYSLOGD=”-r”

double:/# diff -pu /etc/syslog.conf.20071101 /etc/syslog.conf
— /etc/syslog.conf.20071101 2007-11-02 01:45:46.000000000 -0500
+++ /etc/syslog.conf 2007-11-02 01:21:24.000000000 -0500
@@ -68,3 +68,5 @@ daemon.*;mail.*;
news.crit;news.err;news.notice;
*.=debug;*.=info;
*.=notice;*.=warn |/dev/xconsole
+
+local7.* -/var/log/cmdhist.log

double:/# diff -pu /etc/logrotate.d/cmdhist.20071101 /etc/logrotate.d/cmdhist
— /etc/logrotate.d/cmdhist.20071101 2007-11-02 01:53:38.000000000 -0500
+++ /etc/logrotate.d/cmdhist 2007-11-02 01:53:28.000000000 -0500
@@ -0,0 +1,6 @@
+/var/log/cmdhist.log {
+ daily
+ rotate 31
+ compress
+ missingok
+}

double:/# diff -pu /etc/hosts.allow.20071101 /etc/hosts.allow
— /etc/hosts.allow.20071101 2007-11-02 02:03:35.000000000 -0500
+++ /etc/hosts.allow 2007-11-02 02:04:52.000000000 -0500
@@ -11,3 +11,4 @@
# rpc.mountd (the NFS mount daemon). See portmap(8), rpc.mountd(8) and
# /usr/share/doc/portmap/portmapper.txt.gz for further information.
#
+ALL: 10.0.49.0/24

double:/# diff -pu /etc/hosts.deny.20071101 /etc/hosts.deny
logger: unknown priority name: u.
— /etc/hosts.deny.20071101 2007-11-02 02:03:45.000000000 -0500
+++ /etc/hosts.deny 2007-11-02 02:04:02.000000000 -0500
@@ -17,3 +17,4 @@
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
+ALL: ALL

Then, the configuration in the servers that we want to log the comands:

default:~# diff -pu /etc/profile.20071101 /etc/profile
— /etc/profile.20071101 2007-11-02 01:36:03.000000000 +0000
+++ /etc/profile 2007-11-02 01:41:10.000000000 +0000
@@ -36,3 +36,10 @@ if [ "$BASH" ]; then
# export TMOUT=300
fi

+function history_to_syslog
+{
+ declare cmd
+ cmd=$(fc -ln -0)
+ logger -p local7.notice — SESSION = $$, CMD =$cmd
+}
+trap history_to_syslog DEBUG

default:~# diff -pu /etc/syslog.conf.20071101 /etc/syslog.conf
— /etc/syslog.conf.20071101 2007-11-02 01:47:22.000000000 +0000
+++ /etc/syslog.conf 2007-11-02 01:37:08.000000000 +0000
@@ -68,3 +68,5 @@ daemon.*;mail.*;
news.crit;news.err;news.notice;
*.=debug;*.=info;
*.=notice;*.=warn |/dev/xconsole
+
+local7.* @192.168.255.13

No comments yet

Leave a reply