[CLUE-Tech] syslog question
David Anselmi
anselmi at americanisp.net
Wed Jun 11 22:05:12 MDT 2003
Charles Oriez wrote:
> I have a client running Red Hat v9.0 on a server. He wants to log all
> attempts by users to access files that they are not authorized to
> access. He's been trying to configure the syslogd conf file
> appropriately, and getting nowhere. Users get the expected permissions
> error on their consoles, but nothing shows up in any log. Ideas?
That seems like a hard one. You basically want to catch failures of
open(2) et. al. and log them. The kernel is where access is controlled,
so I'm pretty sure you can't do this without some hacking -- the kernel
doesn't have a way to log system calls. It may be that a PAM module
could help, or that SELinux has extra logging capability.
Most interactive programs don't do logging, it seems. You might get
away with hacking the shell, or perhaps libc, and get most of the way there.
The sudoshell man page gives me an idea, though. Try this:
mkfifo log
logger < log &
script -f log
echo "This is a test."
exit
rm log
The logger command reads from the fifo and writes to syslogd. The
script command runs a subshell and writes all input and output to the
fifo. Everything between the script line and the rm line gets logged.
Another cool thing you can do with *nix easily.
Of course this is only useful with the right filtering, and only for
logging the command line.
SELinux might be your best bet.
Dave
More information about the clue-tech
mailing list