Keystroke/Shell logging
Provide method to log (nearly) all keystrokes in a shell session.
Logging all keystrokes would capture passwords (as I have seen to my cost).
The ability to log every line entered in an interactive shell would be highly valuable from a security audit perspective. Logged via a secure method of course to prevent tampering. Via syslog if possible so that I can push it straight to a remote logging server.
Something like this - built straight into the OS - with good security, would be a real boost. Everything I've tried thus far has had multiple drawbacks (such as capturing passwords in keystroke logging.
Responses
I can't think of any way to reliably detect and avoid capturing passwords. Short of just not using any (e.g. kerberos or ssh keys)?
Personally I'd consider the session captures already highly confidential, so it should be adequately protected/encrypted anyway, with access only available to authorized people.
Also syslog isn't really good enough for this in my opinion. audisp is better, but for example capturing actions in a menu-based interface (like authconfig-tui) isn't really going to work in either.
I think what you describe sounds only marginally better than just using sudo and sending the logs over the network. I'd rather see something that can compete with the commercial offerings out there - hardened, encrypted, logs absolutely everything, as difficult to circumvent as possible.
Guru
2135 points
Getting an un-tamperable history would be good. But I can delete my history file.
Getting each line pushed immediately to a secure log file would be a boost for me at the moment. Security guys are teaming up to poke holes in our console logging (or lack of).
A lot of companies (my included) are modifying base shells so they can be sure at a minimum to get a history of commands and full args executed. I don't so much want a keystroke logger as I want secure, configurable and remote logging from shells without having to modify them. It would be greate if psacct or auditd would log comamnds and their arguments ... that would totally rock in my opinion.
A lot of companies (my included) are modifying base shells so they can be sure at a minimum to get a history of commands and full args executed. I don't so much want a keystroke logger as I want secure, configurable and remote logging from shells without having to modify them. It would be greate if psacct or auditd would log comamnds and their arguments ... that would totally rock in my opinion.
We've been looking at sudosh as a neat way to collect key-ed in entries, as well as the systems response to them. It even shows the guts of a vi session.. Looks pretty neat.
Guru
2135 points
But looks to have the hallmarks of an abandoned project on Sourceforge?
Looking back to when I was evaluating this stuff in 2009-10, it's the latest in a line of abandoned shell loggers, dating back to 1994 or so. I think rootsh was the base of the effort, then there was something called auditsh, which became unavailable when the author went to work for someone or other. Then sudosh2 and 3. Three partially fixed a problem with logging passwords, but didn't fix the envronment issue I mentioned in another post.
But sudosh likes to clear the environment, no matter what you set in /etc/sudosh.conf. This can force you to tweak startup scripts for some services. Java-based services is where I saw it. I don't now if you would see problems elsewhere.
Also, you have to specfy allowed commands in the config. That mechanism is generic to everyone who has sudosh specified in /etc/passwd. In some environments, that would be regarded as an information leak, if nothing else. Local logs could also be a problem, depending on your environment..
Anther tool that you might want to look at is PowerBroker, from BeyondTrust. It's commercial software, but supplies a policy language and centralized authorization as well as shell logging.
I've used rootsh, pam, sudo. It logged screen's session, when user sudo. This tool is epel channel. It's fullfill my needs.
The pam_tty_audit module (available in RHEL5 and RHEL6) provides TTY auditing (keystroke logging) for specified users; cf. e.g. Track actions of user that sudo-ed/su-ed to root. It does not provide a way to suppress the logging of keystrokes associated with password/passphrase entry however.
There has been a suggestion (in private BZ #725100) to enhance the kernel with a control (e.g. a sysctl setting) that controls whether logging of such keystrokes can be suppressed when the terminal is in not "icanon" mode. No decisions have been reached around this at present.
Guru
2135 points
I'm being introduced to a tool called PUM by colleagues. This captures everything rendered to a shell session I think. Therefore avoids capturing passwords a they aren't rendered to screen.
Each user session can then be replayed in real time, slowed down, or without delays. Makes for an interesting approach to logging as `vi` sessions are captured rather than just the keystrokes.
Ultimately the following would all be of benefit to me somewhere along the line:
1. Non-tamperable session command history
2. Keystroke logging (issues with password capture)
3. Session recording like PUM.
I've used eash which is also captures what is rendered rather that capturing keystrokes, so it does not log passwords. It works in a client/server setup, so you can stop people tampering with the logs by simply storing them on a server your users can't access. There is a copy of it at http://fossies.org/unix/privat/eas-2.0.00.tar.gz/ and I have a slightly modified copy of my own.
Hi Guys,
There is a tool which is called 'script'. It's a part of util-linux package.
It's not ideal, everything depends what you are planing to use it for. However it can address capture of all terminal actions without capturing passwords (just everything which is printed on your terminal)
Regards,
-Artur.
I've used PowerBroker (don't be alarmed by the Windows interface, it is completely UNIX capable also). I'm not necessarilly endorsing the product, but I can say that it seem to work. I am unable to find comparable products to recommend - mostly since it is an odd thing to try and search on.
http://www.beyondtrust.com/Products/PowerBrokerServersForLinuxUnix/
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.