Pacific Simplicity - ssh http://www.pacificsimplicity.ca/category/blog-tags/ssh en Remote Logging Using Syslog And Logging Shell Commands Remotely http://www.pacificsimplicity.ca/blog/remote-logging-using-syslog-and-logging-shell-commands-remotely <div class="field field-name-field-image field-type-image field-label-hidden view-mode-rss view-mode-rss"> <div class="field-items"> <figure class="field-item"> <img typeof="foaf:Image" class="image-style-none" src="http://www.pacificsimplicity.ca/sites/default/files/uploads/default_images/article-icon.png" alt="" /> </figure> </div> </div> <div class="field field-name-body field-type-text-with-summary field-label-hidden view-mode-rss view-mode-rss"><div class="field-items"><div class="field-item even" property="content:encoded"><p>While trying to come up with a simple keylogging solution that provides remote logging, I came across a pretty good solution of using the audit package and altering bash.</p> <p>One of the problems I came across was that many of the keyloggers could not log any commands sent through a SSH connection - this does on Fedora anyways.</p> <p>Edit /etc/rsyslog.conf and uncoment this line:</p> <p><span class="geshifilter"><code class="cpp geshifilter-cpp">vi /etc/rsyslog.conf</code></span></p> <div class="geshifilter"> <div class="geshifilter-cpp" style="font-family: monospace;">*.* @192.168.18.1:514&gt;/code&gt; <p>&lt;b&gt;Note: this is where the remote server is.&lt;/b&gt;</p> <p>Install and run the following:</p> <p>&lt;code&gt;yum install -y audispd-plugins pasacct<br /> chkconfig psacct on<br /> chkconfig rsyslog on<br /> service rsyslog start<br /> service psacct start</p></div> </div> <p>Edit the conf file to look like the following:</p> <div class="geshifilter"> <div class="geshifilter-cpp" style="font-family: monospace;">vi /etc/audisp/audisp-remote.conf <p>remote_server = 192.168.18.1<br /> port = 514<br /> ##local_port =<br /> transport = udp</p></div> </div> <p>Save the file and edit the following file:</p> <div class="geshifilter"> <div class="geshifilter-cpp" style="font-family: monospace;">vi /etc/audisp/plugins.d/syslog.conf <p># This file controls the configuration of the<br /> # syslog plugin. It simply takes events and writes<br /> # them to syslog.</p> <p>active = yes<br /> direction = out<br /> path = builtin_syslog<br /> type = builtin<br /> args = LOG_INFO<br /> format = string</p></div> </div> <p>Save the file and restart rsyslog:</p> <p><span class="geshifilter"><code class="cpp geshifilter-cpp">service rsyslog restart</code></span></p> <p>Onto altering the bash shell, but first determine what version the system is using already:</p> <div class="geshifilter"> <div class="geshifilter-cpp" style="font-family: monospace;"># bash --version<br /> GNU bash, version 4.1.2(1)-release (i386-redhat-linux-gnu)<br /> Copyright (C) 2009 Free Software Foundation, Inc.<br /> License GPLv3+: GNU GPL version 3 or later &lt;&lt;a href="http://gnu.org/licenses/gpl.html&gt; <p>This"&gt;http://gnu.org/licenses/gpl.html&gt;</p> <p>This&lt;/a&gt; is free software; you are free to change and redistribute it.<br /> There is NO WARRANTY, to the extent permitted by law.</p></div> </div> <p>The version is 4.1.2, but GNU project has the next version of bash at 4.2 - so I am going to use that instead:</p> <div class="geshifilter"> <div class="geshifilter-cpp" style="font-family: monospace;">wget &lt;a href="http://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz<br /> tar"&gt;http://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz<br /> tar&lt;/a&gt; -xzvf bash-4.2.tar.gz<br /> cd bash-4.2</div> </div> <p>Edit the config file and enable syslog by making the directive look as follows:</p> <div class="geshifilter"> <div class="geshifilter-cpp" style="font-family: monospace;">vi config-top.h <p>#define SYSLOG_HISTORY<br /> #if defined (SYSLOG_HISTORY)<br /> #  define SYSLOG_FACILITY LOG_USER<br /> #  define SYSLOG_LEVEL LOG_INFO<br /> #endif</p></div> </div> <p>Onto the building:</p> <div class="geshifilter"> <div class="geshifilter-cpp" style="font-family: monospace;">./configure<br /> make<br /> make install</div> </div> <p>Replace bash</p> <div class="geshifilter"> <div class="geshifilter-cpp" style="font-family: monospace;">mv bash bash2<br /> mv bash2 /bin<br /> cd /bin<br /> bash2<br /> mv bash bashorig<br /> bashorig<br /> mv bash2 bash<br /> bash</div> </div> <p>Optional: rm bashorig -rf</p> <p><span class="geshifilter"><code class="cpp geshifilter-cpp">service rsyslog restart</code></span></p> <p>Now on your remote server syslog should be logging everything.</p> <h3>References</h3> <p><a href="http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html">http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-acco...</a><br /><a href="http://www.timkennedy.net/2010/12/07/recording-user-commands-to-syslog-on-secure-systems">http://www.timkennedy.net/2010/12/07/recording-user-commands-to-syslog-o...</a><br /><a href="http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/">http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/</a><br /><a href="http://www.gnu.org/software/bash/bash.html">http://www.gnu.org/software/bash/bash.html</a><br /><a href="http://serverfault.com/questions/202044/sending-audit-logs-to-syslog-server">http://serverfault.com/questions/202044/sending-audit-logs-to-syslog-server</a></p> </div></div></div><section class="field field-name-taxonomy-vocabulary-2 field-type-taxonomy-term-reference field-label-above view-mode-rss view-mode-rss"><h2 class="field-label">Blog tags:&nbsp;</h2><ul class="field-items"><li class="field-item even"><a href="/category/blog-tags/bash" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Bash</a></li><li class="field-item odd"><a href="/category/blog-tags/rsyslog" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">rsyslog</a></li><li class="field-item even"><a href="/category/blog-tags/syslog" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">syslog</a></li><li class="field-item odd"><a href="/category/blog-tags/remote-logging" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">remote logging</a></li><li class="field-item even"><a href="/category/blog-tags/ssh" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">ssh</a></li></ul></section> Mon, 31 Oct 2011 03:35:46 +0000 admin 59 at http://www.pacificsimplicity.ca http://www.pacificsimplicity.ca/blog/remote-logging-using-syslog-and-logging-shell-commands-remotely#comments