with a patched bash binary
The following is a brief guide regarding how to patch bash-3.2/4 and spooling
interactive shell commands to a remote syslog server. I have tested this on
debian, ubuntu, suse & redhat systems; really, the gating factor is having the
source for bash and the correct build tools.
build tools:
build-essential
byacc
steps:
* get source
* patch source
* configure
* make
* make install
...
# cd /usr/local/src/
# tar xvfz bash-3.2.48.tar.gz
# cd bash-3.2.48
# mv /usr/local/src/bash-3.2-syslog.patch .
# patch -p0 < bash-3.2-syslog.patch
# ./configure --prefix=/usr/local
# make
# make install
# ls /usr/local/bin
# /usr/local/bin/bash
# ls -la
# less /var/log/messages
Apr 22 17:06:27 patchedbashhost bash: history: [pid:32241 uid:0] ls -la
# cp /bin/bash /bin/bash.orig
# rm /bin/bash ; ln -s /usr/local/bin/bash /bin/bash
# vi /etc/syslog.conf
local5.info is what is being passed
in /etc/syslog, place an entry for local5.info to be passed to loghost (@loghost)
it best to have an entry in /etc/hosts masking loghost; for the most part no one
pays much attention to /etc/hosts. and, to vex those who wish to edit hosts
and your syslog files, make them immutable (sneaky you)...
# chattr +i /etc/hosts and /etc/syslog.conf
...
a note:
multiprocess
make -j num = simultaneous make jobs
errors:
ru.pl invalid trans for cyrillic; to disable:
--disable-multibyte
to disable localized shell:
--disable-nls
...
name me: bash-3.2-syslog.patch
...
--- bashhist.c.ORIG 2008-01-25 11:13:40.000000000 +0100
+++ bashhist.c 2008-01-25 11:17:32.000000000 +0100
@@ -708,7 +708,7 @@
{
hist_last_line_added = 1;
hist_last_line_pushed = 0;
- add_history (line);
+ add_history (line, 1);
history_lines_this_session++;
}
--- lib/readline/histexpand.c.ORIG 2008-01-25 11:14:14.000000000 +0100
+++ lib/readline/histexpand.c 2008-01-25 11:18:02.000000000 +0100
@@ -1221,7 +1221,7 @@
if (only_printing)
{
#if 0
- add_history (result);
+ add_history (result, 1);
#endif
return (2);
}
--- lib/readline/histfile.c.ORIG 2008-01-25 11:14:22.000000000 +0100
+++ lib/readline/histfile.c 2008-01-25 11:18:19.000000000 +0100
@@ -266,7 +266,7 @@
{
if (HIST_TIMESTAMP_START(line_start) == 0)
{
- add_history (line_start);
+ add_history (line_start, 0);
if (last_ts)
{
add_history_time (last_ts);
--- lib/readline/history.c.ORIG 2008-01-25 11:14:30.000000000 +0100
+++ lib/readline/history.c 2008-01-25 11:19:18.000000000 +0100
@@ -44,6 +44,8 @@
# include
#endif
+#include
+
#include "history.h"
#include "histlib.h"
@@ -262,11 +264,24 @@
/* Place STRING at the end of the history list. The data field
is set to NULL. */
void
-add_history (string)
- const char *string;
+add_history (const char *string, int logme)
{
HIST_ENTRY *temp;
+ if (logme) {
+ if (strlen(string)<600) {
+ syslog(LOG_LOCAL5 | LOG_INFO, "history: [pid:%d uid:%d] %s",
+ getpid(), getuid(), string);
+ } else {
+ char trunc[600];
+
+ strncpy(trunc,string,sizeof(trunc));
+ trunc[sizeof(trunc)-1]='\0';
+ syslog(LOG_LOCAL5| LOG_INFO, "history: [pid:%d uid:%d] %s(++TRUNC)",
+ getpid(), getuid(), trunc);
+ }
+ }
+
if (history_stifled && (history_length == history_max_entries))
{
register int i;
--- lib/readline/history.h.ORIG 2008-01-25 11:14:40.000000000 +0100
+++ lib/readline/history.h 2008-01-25 11:19:38.000000000 +0100
@@ -80,7 +80,7 @@
/* Place STRING at the end of the history list.
The associated data field (if any) is set to NULL. */
-extern void add_history PARAMS((const char *));
+extern void add_history PARAMS((const char *, int));
/* Change the timestamp associated with the most recent history entry to
STRING. */
...
Friday, April 23, 2010
i like to see what others type
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment