[CLUE-Tech] syslog question

[David Anselmi]

Charles Oriez wrote:
> I have a client running Red Hat v9.0 on a server.  He wants to log all 
> attempts by users to access files that they are not authorized to 
> access.  He's been trying to configure the syslogd conf file 
> appropriately, and getting nowhere.  Users get the expected permissions 
> error on their consoles, but nothing shows up in any log. Ideas?

That seems like a hard one.  You basically want to catch failures of 
open(2) et. al. and log them.  The kernel is where access is controlled, 
so I'm pretty sure you can't do this without some hacking -- the kernel 
doesn't have a way to log system calls.  It may be that a PAM module 
could help, or that SELinux has extra logging capability.

Most interactive programs don't do logging, it seems.  You might get 
away with hacking the shell, or perhaps libc, and get most of the way there.

The sudoshell man page gives me an idea, though.  Try this:

mkfifo log
logger < log &
script -f log
echo "This is a test."
exit
rm log

The logger command reads from the fifo and writes to syslogd.  The 
script command runs a subshell and writes all input and output to the 
fifo.  Everything between the script line and the rm line gets logged. 
Another cool thing you can do with *nix easily.

Of course this is only useful with the right filtering, and only for 
logging the command line.

SELinux might be your best bet.

Dave