Thursday, 22 September 2016

Logging terminal activity with TILT & snoopy

In this article I'll explore usage to TILT & snoopy tools for logging terminal activity.

TILT (terminal interaction logging tool):

tilt logs user activity on the terminal via telnet/ssh to log files provided users login the systems using the telnet/ssh variants provided by tilt during the installation process. tilt provides a dumplog command using which we can view commands executed along with their output in the log as if they were executed on the terminal.

Installation:

tilt source code tilt-0.1.1.tgz can be downloaded from here. Once downloaded extract the source code.

 # tar xvf tilt-0.1.1.tgz

Add a new user named tilt & create the directory /var/log/tilt.

#useradd tilt
#mkdir /var/log/tilt
#chmod 777 /var/log/tilt
# ls -ld /var/log/tilt
drwxrwxrwx 3 root root 4096 Sep 21 19:59 /var/log/tilt

To install the package run configure followed by make & make install.

#./configure
#make 
#make install

Usage:

Installing tilt will create the following binaries:

[root@centdb tilt-0.1.1]# ls -l /usr/local/tilt/bin/telnet
---s--x--x 1 tilt root 35472 Sep 21 19:56 /usr/local/tilt/bin/telnet
[root@centdb tilt-0.1.1]# ls -l /usr/local/tilt/bin/ssh
---s--x--x 1 tilt root 35472 Sep 21 19:56 /usr/local/tilt/bin/ssh
[root@centdb tilt-0.1.1]# ls -l /usr/local/tilt/bin/bash
---s--x--x 1 tilt root 35472 Sep 21 19:56 /usr/local/tilt/bin/bash

So, now to log a terminal session started via ssh, the user would need to use /usr/local/tilt/bin/ssh to initiate the ssh session. For example:

[root@centdb ~]# /usr/local/tilt/bin/ssh test@centdb
test@centdb's password:
Last login: Tue Sep 20 00:43:52 from centdb
[test@centdb ~]$ whoami
test
[test@centdb ~]$ date
Wed Sep 21 19:59:54 PDT 2016
[test@centdb ~]$ uptime
 19:59:56 up 6 min,  2 users,  load average: 0.08, 0.32, 0.18
[test@centdb ~]$ exit
logout
Connection to centdb closed.

Once the session is terminated a log of the session will be generated in /var/log/tilt.

[root@centdb ~]# ls -l /var/log/tilt/2016-09-21/
total 4
-r--r----- 1 tilt root 1949 Sep 21 19:59 B-root-2016-09-21-19:59:46--usr-local-tilt-bin-ssh test@centdb
[root@centdb ~]#

To view the contents of the log file use dumplog command provided as part of tilt installation.

[root@centdb ~]# /usr/local/tilt/bin/dumplog /var/log/tilt/2016-09-21/B-root-2016-09-21-19\:59\:46--usr-local-tilt-bin-ssh\ test\@centdb
test@centdb's password:
Last login: Tue Sep 20 00:43:52 from centdb
[test@centdb ~]$ whoami
test
[test@centdb ~]$ date
Wed Sep 21 19:59:54 PDT 2016
[test@centdb ~]$ uptime
 19:59:56 up 6 min,  2 users,  load average: 0.08, 0.32, 0.18
[test@centdb ~]$ exit
logout
Connection to centdb closed.
[root@centdb ~]#

Snoopy to log command line interaction:

Snoopy is designed to increase visibility of user activity being performed on the system by providing a log of commands  executed. Snoopy is completely transparent  to the user and applications it hooks in as a library providing a wrapper around calls to execve() calls. Logging is done via syslogd and written to authpriv allowing secure off site logging of activity. This article serves as a brief introduction towards snoopy usage. A more in depth article can be found here.

Installation:

You can get the snoopy source code from github & the rpm variant is available in the EPEL repository. I went with the rpm way.

[root@centdb /]# rpm -ivh snoopy-1.7.10-1.el6.x86_64.rpm
warning: snoopy-1.7.10-1.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Preparing...                ########################################### [100%]
   1:snoopy                 ########################################### [100%]
[root@centdb /]#

Snoopy can be enabled in one of two ways:

1) To enable for the whole system with a global preload.

echo "/lib64/snoopy.so" >> /etc/ld.so.preload

2) To enable in user space for a particular user then

   set LD_PRELOAD=/lib64/snoopy.so

Afterwards logs will be made via syslog to  /var/log/secure

Usage:

I updated my systems' /etc/ld.so.preload file to add an entry for snoopy.

[root@centdb sudosh]# cat /etc/ld.so.preload
/lib64/snoopy.so

I started a new session & ran a couple of commands & I could see the commands being logged in /var/log/secure. Here's a log snippet:

Sep 21 20:17:55 centdb snoopy[10094]: [uid:0 sid:10006 tty:/dev/pts/0 cwd:/root filename:/bin/ls]: ls --color=auto
Sep 21 20:18:00 centdb snoopy[10107]: [uid:0 sid:10006 tty:/dev/pts/0 cwd:/root filename:/usr/bin/whoami]: whoami
Sep 21 20:18:02 centdb snoopy[10113]: [uid:0 sid:10006 tty:/dev/pts/0 cwd:/root filename:/usr/bin/uptime]: uptime
Sep 21 20:18:46 centdb snoopy[10203]: [uid:0 sid:10006 tty:/dev/pts/0 cwd:/root filename:/usr/bin/sudo]: sudo su - test
-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Using capture groups in grep in Linux

Introduction Let me start by saying that this article isn't about capture groups in grep per se. What we are going to do here with gr...