[clug] bash history > syslog working :)

steve jenkin sjenkin at canb.auug.org.au
Tue Aug 5 12:51:50 GMT 2008

Daniel Pittman wrote on 5/8/08 10:27 AM:

> "Ron Trujillo" <ron.trujillo at critrade.com> writes:

> Yes: is it your intention that this information is captured for
> security, auditing or some other purpose where it actually /matters/
> that the user can prevent it being logged?
> If that is the case then you need to think again: this is absolutely not
> suitable.  (For example, the user could remove the settings from bash,
> which would have the same effect without changing shells.)
> If you /really/ need to see each command run consider using some sort of
> appropriate tool.  Otherwise, simply accept that many commands will
> never be visible to your remote logging.
> Regards,
>         Daniel

What will absolutely work is a modified terminal server...
Everything in & out can be captured & timestamped, checksummed and
securely logged off-net.

Can't be tampered with - out of band (not on the system under control).

i.e. nobody can log directly into one of these controlled hosts, only
via your controlled access device, which I wouldn't give an visible IP
number... [there are some nice security appliances that scan packets
this way. They have 2 ethernet ports and even figure out for themselves
what is the 'hot side' and which isn't.]

Obvious this scheme only works with text-mode connections.
Remote Desktops & X-11 protocol - no idea.

You may replace the serial connection with an IP protocol, but same
thinking applies.

For telnet, you could even create something like a transparent web-proxy.

SSH can't be captured this way (man-in-the-middle) unless you move the
host certificates to the n or tell people 'just get over it' when they
see the warning message.

What's your budget??
Is Build or Buy mandated?
=> these questions will drive your solution.

Cyclades terminal servers would be an absolutely perfect platform for
this. [perhaps they do it already]
Can't hurt to ask them.

The price of flash memory is low - logging to a local flash card would
be nice.

Members of this list include some very astute security mavens.
They will shoot me down if I'm wrong.


Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list