Slashzerø » Linux

Shell session logging

abx21 — Sun, 22 Nov 2009 00:48:14 +0000

pam_tty_audit.so

How come no one ever told me about this! A while ago we were tasked to find a way to log all commands executed by root. I know bash_history is easily manipulated so I spent some time on google trying to find a logging shell, then got distracted by something shiny and forgot all about this task. Turns out the linux auditing system has a built-in tty logging accounting module that will log all tty sessions! Just add this to your pam stack (/etc/pam.d/system-auth on redhat and clones):

session required pam_tty_audit.so disable=* enable=root

Then run a few commands as root, and the aureport command will become your friend:

audit]# aureport --tty -ts today

TTY Report
===============================================
# date time event auid term sess comm data
===============================================
1. 11/22/2009 00:07:52 132278 1040 ? 4294962295 bash "hello world",

UPDATE:

You need a newer version of the audit rpm package, tty info will be collected but aureport does not know how to display them.

https://bugzilla.redhat.com/show_bug.cgi?id=497518

Linux commands I can’t live without: screen

abx21 — Sat, 16 Aug 2008 17:48:23 +0000

I don’t immagine that Screen needs a big introduction. For those that don’t know, screen is a window-manager. One might ask I use XTerm or Konsole or Terminal in gnome, what do I use this for??? Well one of the big features of screen is that you can detach you session from you current console, go to a different computer, and reconnect to the same screen session. You can start a command process at work, drive home, and reconnect to the still running window.

To start a new screen session just type “screen”. You will see a welcome screen, just start typing away as if you are in a regular terminal session. Need a new window? “CTRL-A c” will create one. “CTRL-A p” goes to your previous screen, “CTRL-A n” goes to your next screen. When you get to the last screen it just goest back to the first one.

So now you are ready to detach, “CTRL-d” detaches. When you want to reconnect, I usually do a “screen -dr”, the d will detach the screen session if I had forgotten to before exiting then connect.

One feature I use a lot, especially when working with network gear, is the screenloging. I connect to my router, type “CTRL-A H” to create a logfile, anything on the screen after that will get logged to the screenlog file. Then if I do a “show run” my router config is saved incase I mess things up.

One final usage of screen that I empoy is as a serial interface, I connect my routers via serial to my linux laptop, then fire up screen like this “screen 9600 /dev/ttyS0″ and voila. Buy a bunch of usb serial dongles and build your own Serial Console server this way. Turn on screenlogging and you can capture router error messages ghetto style.

ESXi… EPIC FAIL!!!

abx21 — Wed, 13 Aug 2008 13:36:51 +0000

“This product has expired, Be sure that your host machine’s date and time are set correctly.”

Way to go, I had to set the clock back to last week on my ESXi console. There goes my VMWare consolidation proposal at work.

I wouldn’t want to be the poor developer that forgot to take out the “if date = august 12 2008 then fail” line of code.

Yet another useful Linux Command

abx21 — Sat, 02 Aug 2008 15:04:32 +0000

Ever had to run a command on 30 servers at once and are too lazy to write a for loop at the command prompt? Try Cluster SSH. What this tool does is open up an xterm to each server specified on the command line and sends what you type to all screens. It can be a lifesaver sometimes, even if it is no replacement to Cfengine or Puppet or another configuration management solution.

Linux commands I never knew existed: Pipe Viewer

abx21 — Mon, 28 Jul 2008 17:33:22 +0000

I have been using linux since about 1995, and it still surprises me how creative the people who contribute code and work on projects are. The other day I had to image a bunch of machines, they all needed to be 100% identical, so I figured I would just use “dd” and send to output over to each slave machine using netcat. For anyone who has ever done this before, it can be a bit hard to figure out how fast data is being sent over to the system being imaged. This is where Pipe Viewer came in handy. Quite simply this app reports the bitrate that the data is sent over a unix pipe. Brilliant.

It is not installed by default in debian, so the following will install the app.

user@slashzero-desktop:~$ sudo aptitude install pv

Once installed, passing the “–help” parameter will list the basic options.

user@slashzero-desktop:~$ pv --help Usage: pv [OPTION] [FILE]... Concatenate FILE(s), or standard input, to standard output, with monitoring. -p, --progress show progress bar -t, --timer show elapsed time -e, --eta show estimated time of arrival (completion) -r, --rate show data transfer rate counter -b, --bytes show number of bytes transferred -f, --force output even if standard error is not a terminal -n, --numeric output percentages, not visual information -q, --quiet do not output any transfer information at all -c, --cursor use cursor positioning escape sequences -W, --wait display nothing until first byte transferred -s, --size SIZE set estimated data size to SIZE bytes -l, --line-mode count lines instead of bytes -i, --interval SEC update every SEC seconds -w, --width WIDTH assume terminal is WIDTH characters wide -H, --height HEIGHT assume terminal is HEIGHT rows high -N, --name NAME prefix visual information with NAME -L, --rate-limit RATE limit transfer to RATE bytes per second -B, --buffer-size BYTES use a buffer size of BYTES -R, --remote PID update settings of process PID -h, --help show this help and exit -V, --version show version information and exit Please report any bugs to Andrew Wood .

And here is a quick example, this command tar’s up a directory and send the output to gzip, showing a rate of 223MB/s:

user@slashzero-desktop:/home$ tar zcf - user | pv /bin/gzip > /tmp/backup.tar.gz 59.7kB 0:00:00 [ 223MB/s] [===========================================>] 100%

Incredibly useful stuff.

You learn something new everyday

admin — Fri, 25 Jul 2008 16:46:55 +0000

I recently was in a situation where I wanted to copy a file from one server to another. The problem was that these two servers could not directly connect to each other, the one server that could talk to both endpoints did not have enough diskspace, and the only port open was ssh. A collegue dropped a bit of knowledge on me. Both endpoints of an scp command can be remote. Who knew so this command from server B:

serverB:/ scp user@serverA:/file user@serverC:/file

Actually works. I love linux. It’s awesome