Slashzerø » Linux http://www.slashzero.com Random and Useless Thoughts on Everything Wed, 31 Mar 2010 20:46:18 +0000 en hourly 1 http://wordpress.org/?v=3.0 Shell session logging http://www.slashzero.com/2009/11/shell-session-logging/ http://www.slashzero.com/2009/11/shell-session-logging/#comments Sun, 22 Nov 2009 00:48:14 +0000 abx21 http://www.slashzero.com/?p=117 [...]]]> pam_tty_audit.so

How come no one ever told me about this!  A while ago we were tasked to find a way to log all commands executed by root.  I know bash_history is easily manipulated so I spent some time on google trying to find a logging shell, then got distracted by something shiny and forgot all about this task.  Turns out the linux auditing system has a built-in tty logging accounting module that will log all tty sessions!  Just add this to your pam stack (/etc/pam.d/system-auth on redhat and clones):

session required pam_tty_audit.so disable=* enable=root

Then run a few commands as root, and the aureport command will become your friend:

audit]# aureport --tty -ts today
TTY Report
===============================================
# date time event auid term sess comm data
===============================================
1. 11/22/2009 00:07:52 132278 1040 ? 4294962295 bash "hello world",<ret>

UPDATE:

You need a newer version of the audit rpm package, tty info will be collected but aureport does not know how to display them.

https://bugzilla.redhat.com/show_bug.cgi?id=497518

Share/Bookmark

]]> http://www.slashzero.com/2009/11/shell-session-logging/feed/ 0 Linux commands I can’t live without: screen http://www.slashzero.com/2008/08/linux-command-i-cant-live-without-screen/ http://www.slashzero.com/2008/08/linux-command-i-cant-live-without-screen/#comments Sat, 16 Aug 2008 17:48:23 +0000 abx21 http://www.slashzero.com/?p=87 [...]]]> I don’t immagine that Screen needs a big introduction.  For those that don’t know, screen is a window-manager.  One might ask I use XTerm or Konsole or Terminal in gnome, what do I use this for???  Well one of the big features of screen is that you can detach you session from you current console, go to a different computer, and reconnect to the same screen session.   You can start a command process at work, drive home, and reconnect to the still running window.

To start a new screen session just type “screen”. You will see a welcome screen, just start typing away as if you are in a regular terminal session. Need a new window? “CTRL-A c” will create one. “CTRL-A p” goes to your previous screen, “CTRL-A n” goes to your next screen.  When you get to the last screen it just goest back to the first one.

So now you are ready to detach, “CTRL-d” detaches.  When you want to reconnect, I usually do a “screen -dr”, the d will detach the screen session if I had forgotten to before exiting then connect.

One feature I use a lot, especially when working with network gear, is the screenloging.  I connect to my router, type “CTRL-A H” to create a logfile, anything on the screen after that will get logged to the screenlog file.  Then if I do a “show run” my router config is saved incase I mess things up.

One final usage of screen that I empoy is as a serial interface, I connect my routers via serial to my linux laptop, then fire up screen like this “screen 9600 /dev/ttyS0″ and voila.  Buy a bunch of usb serial dongles and build your own Serial Console server this way.  Turn on screenlogging and you can capture router error messages ghetto style.

Share/Bookmark

]]> http://www.slashzero.com/2008/08/linux-command-i-cant-live-without-screen/feed/ 0