Remote Logging Using Syslog And Logging Shell Commands Remotely
While trying to come up with a simple keylogging solution that provides remote logging, I came across a pretty good solution of using the audit package and altering bash.
One of the problems I came across was that many of the keyloggers could not log any commands sent through a SSH connection - this does on Fedora anyways.
Edit /etc/rsyslog.conf and uncoment this line:
vi /etc/rsyslog.conf
<b>Note: this is where the remote server is.</b>
Install and run the following:
<code>yum install -y audispd-plugins pasacct
chkconfig psacct on
chkconfig rsyslog on
service rsyslog start
service psacct start
Edit the conf file to look like the following:
remote_server = 192.168.18.1
port = 514
##local_port =
transport = udp
Save the file and edit the following file:
# This file controls the configuration of the
# syslog plugin. It simply takes events and writes
# them to syslog.
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
Save the file and restart rsyslog:
service rsyslog restart
Onto altering the bash shell, but first determine what version the system is using already:
GNU bash, version 4.1.2(1)-release (i386-redhat-linux-gnu)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <<a href="http://gnu.org/licenses/gpl.html>
This">http://gnu.org/licenses/gpl.html>
This</a> is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
The version is 4.1.2, but GNU project has the next version of bash at 4.2 - so I am going to use that instead:
tar">http://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz
tar</a> -xzvf bash-4.2.tar.gz
cd bash-4.2
Edit the config file and enable syslog by making the directive look as follows:
#define SYSLOG_HISTORY
#if defined (SYSLOG_HISTORY)
# define SYSLOG_FACILITY LOG_USER
# define SYSLOG_LEVEL LOG_INFO
#endif
Onto the building:
make
make install
Replace bash
mv bash2 /bin
cd /bin
bash2
mv bash bashorig
bashorig
mv bash2 bash
bash
Optional: rm bashorig -rf
service rsyslog restart
Now on your remote server syslog should be logging everything.
References
http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-acco...
http://www.timkennedy.net/2010/12/07/recording-user-commands-to-syslog-o...
http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/
http://www.gnu.org/software/bash/bash.html
http://serverfault.com/questions/202044/sending-audit-logs-to-syslog-server
Add new comment