Implemented a audit shell

12 years ago · 5db2ce42c6
--- a/README.md
+++ b/README.md
@ -1,29 +1,50 @@
 scriptreplay_ng
 ===============

 Installation
 -------------

 * Install "scriptreplay" and "recordsession" to /usr/local/sbin
 * Add /usr/local/sbin to $PATH of the user
 * Add the follwing lines via "visudo"

 ```
 <user> ALL=(ALL) NOPASSWD: /usr/local/sbin/scriptreplay
 <user> ALL=(ALL) NOPASSWD: /usr/local/sbin/recordshell
 ```
 Scriptreplay can be used to replay recorded session recorded by the linux/unix "script" tool.



 Installation of an audit shell
 ------------------------------

 The following instructions describe the procedure how to install a audit shell in combination with
 the scriptreplay utility.
 Auditshell submits the typescript and the timings to syslog which prevents modification by terminal users.
 The logged information can also be forwared to secured logging servers using standard syslog logfile distribution.

 * Install the following tools to /usr/local/bin
   scriptreplay
   helpers/auditshell
   helpers/auditshell_create_sessionfiles
   chown root:root /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles}
   chmod 755 /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles}
 * Patch an install custom "script" implementation
   cd helpers/
   git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git
   cd util-linux.git
   patch -p0 < ../auditshell_script.patch
   ./autogen.sh
   make
   cp script /usr/local/bin/
   chown root:root /usr/local/bin/script
   chmod 755 /usr/local/bin/script
 * If you like:
    * Disable string escaping on system which are using rsyslogd (i.e. Ubuntu systems)
    * Redirect the auditshell logs to another logfile using syslog configuration 
 * Change shell of user
   chsh -s /usr/local/bin/auditshell <user>


 Usage
 -----

 * Start session
   ```
 sudo recordsession
   ```
 * Start session, and execute commands
 * Extract session files
   /usr/local/bin/auditshell_create_sessionfiles /var/log/messages /tmp/foo
 * Replay session
   ```
 sudo scriptreplay -t /var/log/recordshell//2013-07-08/2013-07-08_17-39-41-27336/timing.gz /var/log/recordshell//2013-07-08/2013-07-08_17-39-41-27336/typescript.gz
 scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript
   ```

 Documentation 
--- a/helpers/auditshell
+++ b/helpers/auditshell
@ -0,0 +1,21 @@
 #!/bin/bash

 IDENT="`date --date="today" "+%Y-%m-%d_%H-%M-%S"`.`whoami`.$$"

 TYPESCRIPT="auditshell.typescript.${IDENT}"
 TIMING="auditshell.timing.${IDENT}"

 export SHELL=/bin/bash

 cat <<EOF
    _   _   _ ____ ___ _____ ____  _   _ _____ _     _     
   / \ | | | |  _ \_ _|_   _/ ___|| | | | ____| |   | |    
  / _ \| | | | | | | |  | | \___ \| |_| |  _| | |   | |    
 / ___ \ |_| | |_| | |  | |  ___) |  _  | |___| |___| |___ 
 /_/   \_\___/|____/___| |_| |____/|_| |_|_____|_____|_____|
   

 NOTE: This shell session will be recorded                                                         
 EOF

 exec /usr/local/bin/script -d -f -q -t 5 5> >(logger -t $TYPESCRIPT)  2> >(logger -t $TIMING)
--- a/helpers/auditshell_create_sessionfiles
+++ b/helpers/auditshell_create_sessionfiles
@ -0,0 +1,44 @@
 #!/usr/bin/env perl

 use strict;
 use warnings;
 use FileHandle;

 my $file = shift();
 my $dir = shift();

 if ( (!defined $file) || (!defined $file) ){
   print "auditshell_create_sessionfiles <logfile> <dir>\n";
   exit(1);
 }

 open( INFILE, "<$file" ) || die "input-file '$file' could not be opened";

 my $fdcache = {};

 while (my $zeile = <INFILE>) {
   if ($zeile =~m /auditshell\.(typescript|timing)\.(.*?): (.*)$/){
      chomp($zeile);
      my $type = $1;
      my $ident = $2;
      my $line = $3;

      if ( !exists $fdcache->{$ident}){
         $fdcache->{$ident} = {};
         print "Open $ident.typescript\n";
         $fdcache->{$ident}->{typescript} = FileHandle->new("> $ident.typescript");
         print "Open $ident.timing\n";
         $fdcache->{$ident}->{timing} = FileHandle->new("> $ident.timing");
      }

      my $fd = $fdcache->{$ident}->{$type};
      print $fd $line."\n";
   }
 }

 close(INFILE);

 foreach my $ident(keys %{$fdcache}){
   close $fdcache->{$ident}->{typescript};
   close $fdcache->{$ident}->{timing};
 }
--- a/helpers/etc-recordshell
+++ b/helpers/etc-recordshell
@ -1,7 +0,0 @@
 # copy me to /etc/recordshell

 LOGDIR="/var/log/recordshell"
 LOGGING_PID="$$"
 FILEPREFIX="$LOGDIR/$(date '+%Y-%m-%d')/$(date '+%Y-%m-%d_%H-%M-%S')-$LOGGING_PID";
 EXTRA_ARGS="-c 'su -c /bin/bash $SUDO_USER'"

--- a/helpers/recordshell
+++ b/helpers/recordshell
@ -1,65 +0,0 @@
 #!/bin/bash

 LOGDIR="/var/log/recordshell"
 LOGGING_PID="$$"
 FILEPREFIX="$LOGDIR/$(date '+%Y-%m-%d')/$(date '+%Y-%m-%d_%H-%M-%S')-$LOGGING_PID"; 
 CFG_FILE="/etc/recordshell"

 TARGET_USER="$1"

 #EXTRA_ARGS="-c 'su -c \"/bin/bash -l\" - $TARGET_USER'"
 EXTRA_ARGS="-c 'su -s /bin/bash - $TARGET_USER'"

 if [ "`whoami`" != "root" ];then
   set -x
   exec sudo $0 "`whoami`"
   set +x
 fi


 if [ -z "$TARGET_USER" ];then
   echo "$0 <target_user>"
   exit 1
 fi

 if ( bash $CFG_FILE &> /dev/null );then
   source $CFG_FILE;
 else
   echo "error in configfile  $CFG_FILE"
   exit 1
 fi

 mkdir -p $FILEPREFIX
 if [ "$?" != "0" ];then
   echo "Unable to create directory structure $FILEPREFIX"
   exit 1
 fi

 SUDO_MSG=""
 if [ -n "$SUDO_USER" ];then
   SUDO_MSG=", (sudo user $SUDO_USER, sudo command $SUDO_COMMAND)"
 fi
 echo "*********************************"
 logger -s -t recordshell "[$LOGGING_PID] Starting logged shell session: ${FILEPREFIX}/{typescript,timing} $SUDO_MSG"
 set -x

 eval script $EXTRA_ARGS -e -q -f -t ${FILEPREFIX}/typescript 2>${FILEPREFIX}/timing
 set +x 
 logger -s -t recordshell "[$LOGGING_PID] Finished logged shell session: ${FILEPREFIX}/{typescript,timing} $SUDO_MSG"
 echo "*********************************"

 gzip ${FILEPREFIX}/typescript
 if [ "$?" != "0" ];then
   logger -s -t recordshell "[$LOGGING_PID] compression of ${FILEPREFIX}/typescript failed"
 else
   logger -s -t recordshell "[$LOGGING_PID] compression of ${FILEPREFIX}/typescript successful (MD5SUM $(md5sum ${FILEPREFIX}/typescript.gz|awk '{print $1}'))"
 fi

 gzip ${FILEPREFIX}/timing
 if [ "$?" != "0" ];then
   logger -s -t recordshell "[$LOGGING_PID] compression of ${FILEPREFIX}/timing failed"
 else
   logger -s -t recordshell "[$LOGGING_PID] compression of ${FILEPREFIX}/timing successful (MD5SUM $(md5sum ${FILEPREFIX}/timing.gz|awk '{print $1}'))"
 fi
 logger -s -t recordshell "[$LOGGING_PID] review session with: scriptreplay -t ${FILEPREFIX}/{timing.gz,typescript.gz}"