Re: [tlug] comand-line recording...

[Curt Sampson <cjs@example.com>]

On 2009-09-26 22:41 +0900 (Sat), Bruno Raoult wrote:

> Well, if you don't have an answer to my question, please do not answer by
> writing that my question is not good...

Sorry. I was just trying to help find a good solution to whatever
your mysterious problem might really be, by trying to understand what
you really want. If you don't want whatever help and comments people
are willing to offer, especially when you won't tell them what you're
looking for in any but a very vague way, I suggest you not post your
questions.

> If you know a way to log commands, please tell me. If you don't, well,

I know many ways to log "commands," but which ones work depend on what a
"command" is (more on this below), and all have various advantages and
disadvantages; some also have major security issues that could really
bite someone who's unwary.

On 2009-09-27 00:01 +0900 (Sun), Stephen J. Turnbull wrote:

> http://catb.org/~esr/faqs/smart-questions.html

Let me quote a particularly relevant bit:

    Describe the goal, not the step

    If you are trying to find out how to do something (as opposed to
    reporting a bug), begin by describing the goal. Only then describe
    the particular step towards it that you are blocked on.

    Often, people who need technical help have a high-level goal in mind
    and get stuck on what they think is one particular path towards the
    goal. They come for help with the step, but don't realize that the
    path is wrong. It can take substantial effort to get past this.


On 2009-09-26 23:27 +0900 (Sat), Stephen J. Turnbull wrote:

> "keystroke logger" is what you mean to say, I think.

Yup.

> Er ... doesn't sudo log every command it executes?

It does, and I'd thought of that. However, I can't seem to get enough
information out of Bruno about the problem to see if sudo could be
adapted to his needs, and I wasn't about to waste a lot of time
speculating about what his problem might or might not be, to see if sudo
might fit.

Note that sudo, as with the keylogger solution, also does not record the
same thing that script would.

> Of course, what will happen is people who know they're going to type a
> lot of commands will sudo su thatuser ....

This can be prevented.

On 2009-09-27 00:30 +0900 (Sun), tlug@example.com wrote:

> Easy solution: auditd provides exec logging with arguments.

This is also not logging the same thing as script would be. Keep in
mind that it's not going to log the actual command typed in (because
that's subject to shell processing) and won't log any "command" that's
performed by the shell itself (such as emptying irretrivably an
important data file by typing something like ">/http/server/log").

> The `ausearch` example on the following page illustrates how the EXECVE log 
> captures what you are asking for above.

It's not capturing at all what he asked for, if he was really asking for
the equivalant of what "script" logs.

> I do not recommend the hacks that are being discussed in other branches of 
> this thread.  If you consider those, you may as well just ask the developers 
> to avoid messing with their history and read the commands from the history 
> files, because any user who wants to circumvent the "auditing" could easily 
> do so.

>From the description we have so far, it's not a problem if users
circumvent the auditing, so long as they don't do it by writing the log
file being created.

cjs
-- 
Curt Sampson       <cjs@example.com>        +81 90 7737 2974
           Functional programming in all senses of the word:
                   http://www.starling-software.com