There is a great project called Bash Paranoia. Right now their site is busted so I can’t link to it. Its a patch that applies to bash that allows commands to be logged to syslog. I basically took this one step further and added curl support.
The bash paranoia patch and my curl addition can be found on my GitHub project page
Below is my patch I wrote. Right now it will only work with 64bit systems. It should be easy to make it work with 32bit systems if you edit the patch file at the bottom where I patch Makefile.in. Change the lib64 to lib and you should be good to go
Now if you want to install these patches you would run the following commands. My curl patch needs the base paranoia patch to work. I don’t even think it will apply alone.
tar zxf bash-3.2.tar.gz
patch -p0 < ../bash-paranoia.patch
patch -p1 < ../bash-paranoia-curl.patch
./configure ––enable-paranoia #you can include other configure flags here
That will get you going and the next time you login (if bash if your default shell) you will see the following in your logs (for redhat is is /var/log/messages)
Mar 9 15:24:02 263724-mgmt1 bash: user: mzupan as root from ip: 192.168.71.154:pts/0 execs: ‘cat /var/log/messages’
There you go a nice little command logger that will tell you most of what you need to do to keep tabs on users.
Now if you want to also append this to a db somewhere then curl and a web endpoint is the best solution. So my database look like
CREATE TABLE `commandlog` (`id` int(11) NOT NULL auto_increment,`server` varchar(100) NOT NULL,`user_login` varchar(100) NOT NULL,`user_run` varchar(100) NOT NULL,`ip` varchar(100) NOT NULL,`session` varchar(100) NOT NULL,`command` longtext NOT NULL,`ts` datetime NOT NULL,PRIMARY KEY (`id`)) ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=latin1;
$server = $_SERVER[‘REMOTE_ADDR’];$user_login = $_POST[‘user_login’];
$user_run = $_POST[‘user_run’];
$ip = $_POST[‘ip’];
$session = $_POST[‘session’];
$command = $_POST[‘command’];
$ts = time();$sql = “INSERT INTO commandlog(server,user_login,user_run,ip,session,command,ts) VALUES(‘$server’,’$user_login’,’$user_run’,’$ip’,’$session’,’$command’,’$ts’)”;// place into sql now.. too lazy to do this for you?>Now if you want to enable the curl post on the server you edit the following file/etc/bash.confHere is an exampleURL=http://18.104.22.168/endpoint/Have fun!If you want a spec file that will work for Redhat/CentOS 4/5 64bit you can download the following file