From 100601a1fdcdcc108fc7a38206c71ab7191349d1 Mon Sep 17 00:00:00 2001 From: Marc Schoechlin Date: Wed, 11 Sep 2013 19:12:16 +0200 Subject: [PATCH 01/10] Improved documentation --- README.md | 98 +++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 62 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index 7344f58..c471e6e 100644 --- a/README.md +++ b/README.md @@ -2,52 +2,24 @@ scriptreplay_ng =============== Scriptreplay can be used to replay recorded session recorded by the linux/unix "script" tool. - - - -Installation of an audit shell ------------------------------- - -The following instructions describe the procedure how to install a audit shell in combination with -the scriptreplay utility. -Auditshell submits the typescript and the timings to syslog which prevents modification by terminal users. -The logged information can also be forwared to secured logging servers using standard syslog logfile distribution. - - * Install the following tools to /usr/local/bin - scriptreplay - helpers/auditshell - helpers/auditshell_create_sessionfiles - chown root:root /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} - chmod 755 /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} - * Patch an install custom "script" implementation - cd helpers/ - git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git - cd util-linux.git - patch -p0 < ../auditshell_script.patch - ./autogen.sh - make - cp script /usr/local/bin/ - chown root:root /usr/local/bin/script - chmod 755 /usr/local/bin/script - * If you like: - * Disable string escaping on system which are using rsyslogd (i.e. Ubuntu systems) - * Redirect the auditshell logs to another logfile using syslog configuration - * Change shell of user - chsh -s /usr/local/bin/auditshell +This project also provides tools to setup auditable shell sessions. Usage ----- - * Start session, and execute commands - * Extract session files - /usr/local/bin/auditshell_create_sessionfiles /var/log/messages /tmp/foo + * Record session + ``` +script -t /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript 2> /tmp/foo/2013-09-11_18-47-45.user1.11931.timing + ``` * Replay session ``` scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript ``` -Documentation + + +Manpage ------------- ``` @@ -137,3 +109,57 @@ AUTHORS SEE ALSO script(1), bzcat(1), zcat(1), lzcat(1) ``` + + +Installation of "auditshell" +------------------------------ + +The following instructions describe the procedure how to install a audit shell in combination with +the scriptreplay utility. +Auditshell submits the typescript and the timings to syslog which prevents modification by terminal users. +The logged information can also be forwarded to secured logging servers using standard syslog logfile distribution. + + * Install the following tools to /usr/local/bin + * scriptreplay + * helpers/auditshell + * helpers/auditshell_create_sessionfiles + * Set permission and owner + ``` +chown root:root /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} +chmod 755 /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} + ``` + * Patch an install custom "script" implementation + ``` +cd helpers/ +git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git +cd util-linux.git +patch -p0 < ../auditshell_script.patch +./autogen.sh +make +cp script /usr/local/bin/ +chown root:root /usr/local/bin/script +chmod 755 /usr/local/bin/script + ``` + * If you like: + * Disable string escaping on system which are using rsyslogd (i.e. Ubuntu systems) + * Redirect the auditshell logs to another logfile using syslog configuration + * Change shell of user + ``` +chsh -s /usr/local/bin/auditshell + ``` + + +Watch auditshell sessions +------------------------- + + * Start session, and execute commands + * Extract session files + ``` +/usr/local/bin/auditshell_create_sessionfiles /var/log/messages /tmp/foo + ``` + * Replay session + ``` +scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript + ``` + + From 0b89e4ec0dd82041e76238004d162deef5284a1f Mon Sep 17 00:00:00 2001 From: Marc Schoechlin Date: Wed, 11 Sep 2013 19:13:45 +0200 Subject: [PATCH 02/10] Formatting --- README.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c471e6e..fc78246 100644 --- a/README.md +++ b/README.md @@ -10,11 +10,13 @@ Usage * Record session ``` -script -t /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript 2> /tmp/foo/2013-09-11_18-47-45.user1.11931.timing +script -t /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript \ + 2> /tmp/foo/2013-09-11_18-47-45.user1.11931.timing ``` * Replay session ``` -scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript +scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing \ + /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript ``` @@ -125,8 +127,10 @@ The logged information can also be forwarded to secured logging servers using st * helpers/auditshell_create_sessionfiles * Set permission and owner ``` -chown root:root /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} -chmod 755 /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} +chown root:root \ + /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} +chmod 755 \ + /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} ``` * Patch an install custom "script" implementation ``` @@ -159,7 +163,8 @@ Watch auditshell sessions ``` * Replay session ``` -scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript +scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing \ + /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript ``` From a37c3edb4ff773adc6c77b2d27ac4662ceb6fcef Mon Sep 17 00:00:00 2001 From: Marc Schoechlin Date: Wed, 11 Sep 2013 19:14:50 +0200 Subject: [PATCH 03/10] Formatting --- README.md | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index fc78246..88191e0 100644 --- a/README.md +++ b/README.md @@ -10,12 +10,12 @@ Usage * Record session ``` -script -t /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript \ + script -t /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript \ 2> /tmp/foo/2013-09-11_18-47-45.user1.11931.timing ``` * Replay session ``` -scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing \ + scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing \ /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript ``` @@ -127,29 +127,29 @@ The logged information can also be forwarded to secured logging servers using st * helpers/auditshell_create_sessionfiles * Set permission and owner ``` -chown root:root \ + chown root:root \ /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} -chmod 755 \ + chmod 755 \ /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} ``` * Patch an install custom "script" implementation ``` -cd helpers/ -git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git -cd util-linux.git -patch -p0 < ../auditshell_script.patch -./autogen.sh -make -cp script /usr/local/bin/ -chown root:root /usr/local/bin/script -chmod 755 /usr/local/bin/script + cd helpers/ + git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git + cd util-linux.git + patch -p0 < ../auditshell_script.patch + ./autogen.sh + make + cp script /usr/local/bin/ + chown root:root /usr/local/bin/script + chmod 755 /usr/local/bin/script ``` * If you like: * Disable string escaping on system which are using rsyslogd (i.e. Ubuntu systems) * Redirect the auditshell logs to another logfile using syslog configuration * Change shell of user ``` -chsh -s /usr/local/bin/auditshell + chsh -s /usr/local/bin/auditshell ``` @@ -159,11 +159,11 @@ Watch auditshell sessions * Start session, and execute commands * Extract session files ``` -/usr/local/bin/auditshell_create_sessionfiles /var/log/messages /tmp/foo + /usr/local/bin/auditshell_create_sessionfiles /var/log/messages /tmp/foo ``` * Replay session ``` -scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing \ + scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing \ /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript ``` From 022ccfaee2fee08b374b47456be5f10a4d53229f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Sch=C3=B6chlin?= Date: Wed, 11 Sep 2013 19:44:37 +0200 Subject: [PATCH 04/10] Update README.md --- README.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 88191e0..6b1c878 100644 --- a/README.md +++ b/README.md @@ -9,15 +9,13 @@ Usage ----- * Record session - ``` - script -t /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript \ - 2> /tmp/foo/2013-09-11_18-47-45.user1.11931.timing - ``` +``` +script -t /tmp/foo/typescript 2> /tmp/foo/timing +``` * Replay session - ``` - scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing \ - /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript - ``` +``` +scriptreplay -t timing typescript +``` From bcb96e5c0f13a9ed11f404086ea616844568f283 Mon Sep 17 00:00:00 2001 From: Marc Schoechlin Date: Wed, 11 Sep 2013 19:46:22 +0200 Subject: [PATCH 05/10] Update --- README.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 6b1c878..e0295db 100644 --- a/README.md +++ b/README.md @@ -125,10 +125,8 @@ The logged information can also be forwarded to secured logging servers using st * helpers/auditshell_create_sessionfiles * Set permission and owner ``` - chown root:root \ - /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} - chmod 755 \ - /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} + chown root:root /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} + chmod 755 /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} ``` * Patch an install custom "script" implementation ``` @@ -161,8 +159,7 @@ Watch auditshell sessions ``` * Replay session ``` - scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing \ - /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript + scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript ``` From 015ce461e0b3381d093a3efb15d3f75fb844a8e8 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 13 Sep 2013 10:30:03 +0200 Subject: [PATCH 06/10] Table of contents --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index e0295db..347b8a1 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,7 @@ scriptreplay_ng Scriptreplay can be used to replay recorded session recorded by the linux/unix "script" tool. This project also provides tools to setup auditable shell sessions. +{:toc} Usage ----- From 52c0ae3a5417790ab7ec094bff92e33ed3c63b01 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 13 Sep 2013 11:59:47 +0200 Subject: [PATCH 07/10] Add syntax highlighting --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 347b8a1..7512c75 100644 --- a/README.md +++ b/README.md @@ -10,11 +10,11 @@ Usage ----- * Record session -``` +```bash script -t /tmp/foo/typescript 2> /tmp/foo/timing ``` * Replay session -``` +```bash scriptreplay -t timing typescript ``` @@ -125,12 +125,12 @@ The logged information can also be forwarded to secured logging servers using st * helpers/auditshell * helpers/auditshell_create_sessionfiles * Set permission and owner - ``` + ```bash chown root:root /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} chmod 755 /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} ``` * Patch an install custom "script" implementation - ``` + ```bash cd helpers/ git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git cd util-linux.git @@ -145,7 +145,7 @@ The logged information can also be forwarded to secured logging servers using st * Disable string escaping on system which are using rsyslogd (i.e. Ubuntu systems) * Redirect the auditshell logs to another logfile using syslog configuration * Change shell of user - ``` + ```bash chsh -s /usr/local/bin/auditshell ``` @@ -155,11 +155,11 @@ Watch auditshell sessions * Start session, and execute commands * Extract session files - ``` + ```bash /usr/local/bin/auditshell_create_sessionfiles /var/log/messages /tmp/foo ``` * Replay session - ``` + ```bash scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript ``` From f00f2612edade79f83300d0eb2688038ecb1cb1d Mon Sep 17 00:00:00 2001 From: root Date: Fri, 13 Sep 2013 12:01:47 +0200 Subject: [PATCH 08/10] Remove syntax highlighting --- README.md | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 7512c75..a2019af 100644 --- a/README.md +++ b/README.md @@ -10,11 +10,11 @@ Usage ----- * Record session -```bash +``` script -t /tmp/foo/typescript 2> /tmp/foo/timing ``` * Replay session -```bash +``` scriptreplay -t timing typescript ``` @@ -125,12 +125,12 @@ The logged information can also be forwarded to secured logging servers using st * helpers/auditshell * helpers/auditshell_create_sessionfiles * Set permission and owner - ```bash + ``` chown root:root /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} chmod 755 /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} ``` * Patch an install custom "script" implementation - ```bash + ``` cd helpers/ git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git cd util-linux.git @@ -145,7 +145,7 @@ The logged information can also be forwarded to secured logging servers using st * Disable string escaping on system which are using rsyslogd (i.e. Ubuntu systems) * Redirect the auditshell logs to another logfile using syslog configuration * Change shell of user - ```bash + ``` chsh -s /usr/local/bin/auditshell ``` @@ -155,12 +155,10 @@ Watch auditshell sessions * Start session, and execute commands * Extract session files - ```bash + ``` /usr/local/bin/auditshell_create_sessionfiles /var/log/messages /tmp/foo ``` * Replay session - ```bash + ``` scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript ``` - - From 00d9c299485732b6bfb690ee75df705f6ac48fa5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc=20Sch=C3=B6chlin?= Date: Fri, 13 Sep 2013 12:08:32 +0200 Subject: [PATCH 09/10] Update README.md --- README.md | 47 +++++++++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index a2019af..1ede0bb 100644 --- a/README.md +++ b/README.md @@ -9,14 +9,15 @@ This project also provides tools to setup auditable shell sessions. Usage ----- - * Record session -``` -script -t /tmp/foo/typescript 2> /tmp/foo/timing -``` - * Replay session -``` -scriptreplay -t timing typescript -``` + * Record session + ```bash + script -t /tmp/foo/typescript 2> /tmp/foo/timing + ``` + + * Replay session + ```bash + scriptreplay -t timing typescript + ``` @@ -121,16 +122,18 @@ Auditshell submits the typescript and the timings to syslog which prevents modif The logged information can also be forwarded to secured logging servers using standard syslog logfile distribution. * Install the following tools to /usr/local/bin - * scriptreplay - * helpers/auditshell - * helpers/auditshell_create_sessionfiles + * scriptreplay + * helpers/auditshell + * helpers/auditshell_create_sessionfiles * Set permission and owner - ``` - chown root:root /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} - chmod 755 /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} - ``` + + ```bash + chown root:root /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} + chmod 755 /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} + ``` * Patch an install custom "script" implementation - ``` + + ```bash cd helpers/ git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git cd util-linux.git @@ -145,7 +148,8 @@ The logged information can also be forwarded to secured logging servers using st * Disable string escaping on system which are using rsyslogd (i.e. Ubuntu systems) * Redirect the auditshell logs to another logfile using syslog configuration * Change shell of user - ``` + + ```bash chsh -s /usr/local/bin/auditshell ``` @@ -155,10 +159,13 @@ Watch auditshell sessions * Start session, and execute commands * Extract session files - ``` + + ```bash /usr/local/bin/auditshell_create_sessionfiles /var/log/messages /tmp/foo ``` * Replay session - ``` - scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript + + ```bash + scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing \ + /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript ``` From 24ffd69ffbe9b1d9941c6bd805fae0e213590be8 Mon Sep 17 00:00:00 2001 From: Marc Schoechlin Date: Fri, 13 Sep 2013 15:10:23 +0200 Subject: [PATCH 10/10] Improved documentation --- README.md | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 1ede0bb..5e8198a 100644 --- a/README.md +++ b/README.md @@ -121,31 +121,37 @@ the scriptreplay utility. Auditshell submits the typescript and the timings to syslog which prevents modification by terminal users. The logged information can also be forwarded to secured logging servers using standard syslog logfile distribution. - * Install the following tools to /usr/local/bin - * scriptreplay - * helpers/auditshell - * helpers/auditshell_create_sessionfiles - * Set permission and owner + * Install tools ```bash + cp scriptreplay helpers/auditshell helpers/auditshell_create_sessionfiles /usr/local/bin/ chown root:root /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} - chmod 755 /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles} + chmod 755 /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles} ``` + * Install Build dependencies + + ```bash + apt-get install libtoolize libtool autopoint pkg-config make gcc + zypper install libtool gettext-tools pkg-config make gcc + ``` * Patch an install custom "script" implementation ```bash cd helpers/ git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git - cd util-linux.git - patch -p0 < ../auditshell_script.patch + cd util-linux + patch -p1 < ../auditshell_script.patch + # ON SLES11SP3 systems you have to apply this additional patch + patch -p1 <../auditshell_aclocal.patch ./autogen.sh + ./configure --without-ncurses --disable-nls make cp script /usr/local/bin/ chown root:root /usr/local/bin/script chmod 755 /usr/local/bin/script ``` * If you like: - * Disable string escaping on system which are using rsyslogd (i.e. Ubuntu systems) + * Disable string escaping on system which are using rsyslogd (i.e. Ubuntu systems with rsyslogd) * Redirect the auditshell logs to another logfile using syslog configuration * Change shell of user