Friday, April 23, 2010

i like to see what others type

with a patched bash binary

The following is a brief guide regarding how to patch bash-3.2/4 and spooling 
interactive shell commands to a remote syslog server.  I have tested this on
debian, ubuntu, suse & redhat systems; really, the gating factor is having the
source for bash and the correct build tools.

build tools:
build-essential
byacc

steps:
* get source
* patch source
* configure
* make
* make install

...

# cd /usr/local/src/
# tar xvfz bash-3.2.48.tar.gz 
# cd bash-3.2.48
# mv /usr/local/src/bash-3.2-syslog.patch .
# patch -p0 < bash-3.2-syslog.patch 
# ./configure --prefix=/usr/local
# make
# make install
# ls /usr/local/bin
# /usr/local/bin/bash
# ls -la
# less /var/log/messages

Apr 22 17:06:27 patchedbashhost bash: history: [pid:32241 uid:0] ls -la

# cp /bin/bash /bin/bash.orig
# rm /bin/bash ; ln -s /usr/local/bin/bash /bin/bash
# vi /etc/syslog.conf 

local5.info is what is being passed
in /etc/syslog, place an entry for local5.info to be passed to loghost (@loghost)
it best to have an entry in /etc/hosts masking loghost; for the most part no one
pays much attention to /etc/hosts.  and, to vex those who wish to edit hosts
and your syslog files, make them immutable (sneaky you)...

# chattr +i /etc/hosts and /etc/syslog.conf

...

a note:

multiprocess
make -j num = simultaneous make jobs

errors:
ru.pl invalid trans for cyrillic; to disable:

--disable-multibyte

to disable localized shell:

--disable-nls

...
name me:  bash-3.2-syslog.patch
...

--- bashhist.c.ORIG     2008-01-25 11:13:40.000000000 +0100
+++ bashhist.c  2008-01-25 11:17:32.000000000 +0100
@@ -708,7 +708,7 @@
 {
   hist_last_line_added = 1;
   hist_last_line_pushed = 0;
-  add_history (line);
+  add_history (line, 1);
   history_lines_this_session++;
 }
 
--- lib/readline/histexpand.c.ORIG      2008-01-25 11:14:14.000000000 +0100
+++ lib/readline/histexpand.c   2008-01-25 11:18:02.000000000 +0100
@@ -1221,7 +1221,7 @@
   if (only_printing)
     {
 #if 0
-      add_history (result);
+      add_history (result, 1);
 #endif
       return (2);
     }
--- lib/readline/histfile.c.ORIG        2008-01-25 11:14:22.000000000 +0100
+++ lib/readline/histfile.c     2008-01-25 11:18:19.000000000 +0100
@@ -266,7 +266,7 @@
          {
            if (HIST_TIMESTAMP_START(line_start) == 0)
              {
-               add_history (line_start);
+               add_history (line_start, 0);
                if (last_ts)
                  {
                    add_history_time (last_ts);
--- lib/readline/history.c.ORIG 2008-01-25 11:14:30.000000000 +0100
+++ lib/readline/history.c      2008-01-25 11:19:18.000000000 +0100
@@ -44,6 +44,8 @@
 #  include 
 #endif
 
+#include 
+
 #include "history.h"
 #include "histlib.h"
 
@@ -262,11 +264,24 @@
 /* Place STRING at the end of the history list.  The data field
    is  set to NULL. */
 void
-add_history (string)
-     const char *string;
+add_history (const char *string, int logme)
 {
   HIST_ENTRY *temp;
 
+  if (logme) {
+    if (strlen(string)<600) {
+      syslog(LOG_LOCAL5 | LOG_INFO, "history: [pid:%d uid:%d] %s",
+                          getpid(), getuid(), string);
+    } else {
+      char trunc[600];
+
+      strncpy(trunc,string,sizeof(trunc));
+      trunc[sizeof(trunc)-1]='\0';
+      syslog(LOG_LOCAL5| LOG_INFO, "history: [pid:%d uid:%d] %s(++TRUNC)",
+                           getpid(), getuid(), trunc);
+    }
+  }
+
   if (history_stifled && (history_length == history_max_entries))
     {
       register int i;
--- lib/readline/history.h.ORIG 2008-01-25 11:14:40.000000000 +0100
+++ lib/readline/history.h      2008-01-25 11:19:38.000000000 +0100
@@ -80,7 +80,7 @@
 
 /* Place STRING at the end of the history list.
    The associated data field (if any) is set to NULL. */
-extern void add_history PARAMS((const char *));
+extern void add_history PARAMS((const char *, int));
 
 /* Change the timestamp associated with the most recent history entry to
    STRING. */

...

Post a Comment