Remote Logging Using Syslog And Logging Shell Commands Remotely

While trying to come up with a simple keylogging solution that provides remote logging, I came across a pretty good solution of using the audit package and altering bash.

One of the problems I came across was that many of the keyloggers could not log any commands sent through a SSH connection - this does on Fedora anyways.

Edit /etc/rsyslog.conf and uncoment this line:

vi /etc/rsyslog.conf

*.* @192.168.18.1:514>/code>

<b>Note: this is where the remote server is.</b>

Install and run the following:

<code>yum install -y audispd-plugins pasacct
chkconfig psacct on
chkconfig rsyslog on
service rsyslog start
service psacct start

Edit the conf file to look like the following:

vi /etc/audisp/audisp-remote.conf

remote_server = 192.168.18.1
port = 514
##local_port =
transport = udp

Save the file and edit the following file:

vi /etc/audisp/plugins.d/syslog.conf

# This file controls the configuration of the
# syslog plugin. It simply takes events and writes
# them to syslog.

active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string

Save the file and restart rsyslog:

service rsyslog restart

Onto altering the bash shell, but first determine what version the system is using already:

# bash --version
GNU bash, version 4.1.2(1)-release (i386-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <<a href="http://gnu.org/licenses/gpl.html>

This">http://gnu.org/licenses/gpl.html>

This</a> is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

The version is 4.1.2, but GNU project has the next version of bash at 4.2 - so I am going to use that instead:

wget <a href="http://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz
tar">http://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz
tar</a> -xzvf bash-4.2.tar.gz
cd bash-4.2

Edit the config file and enable syslog by making the directive look as follows:

vi config-top.h

#define SYSLOG_HISTORY
#if defined (SYSLOG_HISTORY)
#  define SYSLOG_FACILITY LOG_USER
#  define SYSLOG_LEVEL LOG_INFO
#endif

Onto the building:

./configure
make
make install

Replace bash

mv bash bash2
mv bash2 /bin
cd /bin
bash2
mv bash bashorig
bashorig
mv bash2 bash
bash

Optional: rm bashorig -rf

service rsyslog restart

Now on your remote server syslog should be logging everything.

References

http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-acco...
http://www.timkennedy.net/2010/12/07/recording-user-commands-to-syslog-o...
http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/
http://www.gnu.org/software/bash/bash.html
http://serverfault.com/questions/202044/sending-audit-logs-to-syslog-server

Blog tags: 

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <python> <c>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.