Bash Command Logger with Curl Support
There is a great project called Bash Paranoia. Right now their site is busted so I can’t link to it. Its a patch that applies to bash that allows commands to be logged to syslog. I basically took this one step further and added curl support.
The bash paranoia patch and my curl addition can be found on my GitHub project page
http://github.com/mzupan/bash-paranoia-curl
Below is my patch I wrote. Right now it will only work with 64bit systems. It should be easy to make it work with 32bit systems if you edit the patch file at the bottom where I patch Makefile.in. Change the lib64 to lib and you should be good to go
Now if you want to install these patches you would run the following commands. My curl patch needs the base paranoia patch to work. I don’t even think it will apply alone.
wget http://zcentric.com/files/bash-paranoia.patch
wget http://zcentric.com/files/bash-paranoia-curl.patch
tar zxf bash-3.2.tar.gz
cd bash-3.2
patch -p0 < ../bash-paranoia.patch
patch -p1 < ../bash-paranoia-curl.patch
./configure ––enable-paranoia #you can include other configure flags here
make
make install
That will get you going and the next time you login (if bash if your default shell) you will see the following in your logs (for redhat is is /var/log/messages)
Mar 9 15:24:02 263724-mgmt1 bash: user: mzupan as root from ip: 192.168.71.154:pts/0 execs: ‘cat /var/log/messages’
There you go a nice little command logger that will tell you most of what you need to do to keep tabs on users.
Now if you want to also append this to a db somewhere then curl and a web endpoint is the best solution. So my database look like
CREATE TABLE `commandlog` (`id` int(11) NOT NULL auto_increment,`server` varchar(100) NOT NULL,`user_login` varchar(100) NOT NULL,`user_run` varchar(100) NOT NULL,`ip` varchar(100) NOT NULL,`session` varchar(100) NOT NULL,`command` longtext NOT NULL,`ts` datetime NOT NULL,PRIMARY KEY (`id`)) ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=latin1;
<?php$server = $_SERVER['REMOTE_ADDR'];$user_login = $_POST['user_login'];
$user_run = $_POST['user_run'];
$ip = $_POST['ip'];
$session = $_POST['session'];
$command = $_POST['command'];
$ts = time();$sql = “INSERT INTO commandlog(server,user_login,user_run,ip,session,command,ts) VALUES(‘$server’,'$user_login’,'$user_run’,'$ip’,'$session’,'$command’,'$ts’)”;// place into sql now.. too lazy to do this for you?>
/etc/bash.conf
URL=http://1.1.1.1/endpoint/
About mike
It would be much more powerful if you thought about implementing something similar for CouchDB (or its alternatives). It has a RESTful API and will allow you quite a bit of flexibility with its map reduce functionality (especially when using it with numerous servers).
Neat idea though
thanks.. I’ll look into that option
would be really cool if you could update this to bash-4.1
Both those patches applied fine to the vanalla 4.1 source tree but ./configure wouldn’t work. Here is what I had to do
Run ./configure alone and the first few lines of output it spits out by build and host type
checking build system type… x86_64-unknown-linux-gnu
checking host system type… x86_64-unknown-linux-gnu
Then I did this
autoconf
./configure –host=x86_64-unknown-linux-gnu –build=x86_64-unknown-linux-gnu –enable-paranoia
make
make install
Then it worked
Thanks for the tip but i get this error when running make under FreeBSD8.1 if you could help id appreciate it, if not thanks for your time.
gcc -DPROGRAM=’”bash”‘ -DCONF_HOSTTYPE=’”x86_64″‘ -DCONF_OSTYPE=’”freebsd81″‘ -DCONF_MACHTYPE=’”x86_64-unknown-freebsd81″‘ -DCONF_VENDOR=’”unknown”‘ -DLOCALEDIR=’”/usr/local/share/locale”‘ -DPACKAGE=’”bash”‘ -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib -I/usr/local/include -g -O2 -c bashhist.c
bashhist.c: In function ‘paranoia_log_through_utmp’:
bashhist.c:930: warning: assignment makes pointer from integer without a cast
bashhist.c:940: error: ‘struct utmp’ has no member named ‘ut_user’
*** Error code 1
Stop in /usr/home/sbp/bash-4.1.
It looks like FreeBSD switched to utmpx from utmp which is screwing up the compile. I don’t have access to a FreeBSD at this time to try to debug the change
Thanks for your tips!
but I want you help! I’m sorry my english is poor.
My server is install CentOS 5.5 or RHEL 5.5, so the bash
default version is 3.2.25(1)
I don’t want to change bash version to 4.1 ,maybe some wrong with my applications
So i download the last version bash 3.2
http://ftp.gnu.org/gnu/bash/bash-3.2.48.tar.gz
I just only want to log “Bash Command ” at syslog, but not need it work with Curl Support .
,I follow your Tips,but can’t work.
can you tell me the detail —-I just need syslog but not curl support? don’t need use /etc/bash.conf
————————-
server A
vi /etc/syslog.conf
local6.* @172.20.2.16
———————–
logserver B ( 172.20.2.16 )
# vi /etc/syslog.conf
local6.* /var/log/all.log
# vi /etc/sysconfig/syslog
SYSLOGD_OPTIONS=”-m 0 -r”
Thank you very much!
You cant use bash-3.2.48.tar.gz. Use bash-3.2.tar.gz instead, it will happily take the patch, however I had to force define PARANOIA in first patch:
+if test $opt_paranoia = yes; then
+AC_DEFINE(PARANOIA)
+fi
if test $opt_alias = yes; then
AC_DEFINE(ALIAS)
fi
to
+AC_DEFINE(PARANOIA)
if test $opt_alias = yes; then
AC_DEFINE(ALIAS)
fi
Patch for 3.2.48 (basically same thing) http://www.securityhacking.info/2011/05/bash-3-2-48-log-commands-to-syslog-with-paranoia-patch/