c4rt1y

修改bash源码达到日志记录

2018-02-23 Linux, bash, history

0x01.日志记录

公司不同运维人员基本都是以root,账户进行服务器的登陆管理,缺少了账户权限审计制度。出现问题,无法溯源,为了解决该问题,可以采取多种方案,本文会介绍几种模式。

0x02.通过bash源码编译

#下载bash源码
[root@master /]# cd /tmp && wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz 
#解压源码
[root@master tmp]# tar xf bash-4.1.tar.gz && cd bash-4.1 
#在源码中开启日志信息
[root@master bash-4.1]# sed -i "/SYSLOG_HISTORY/a\#define SYSLOG_HISTORY" config-top.h
[root@master bash-4.1]# sed -i "/SSH_SOURCE_BASHRC/a\#define SSH_SOURCE_BASHRC" config-top.h

#修改源码
[root@master bash-4.1]# vim bashhist.c
698 #if defined (SYSLOG_HISTORY)
699 #define SYSLOG_MAXLEN 600
700
701 void
702 bash_syslog_history (line)
703      const char *line;
704 {
705   char trunc[SYSLOG_MAXLEN];
706   const char *puser;		//定义获取用户变量
707   const char *pip;			//定义获取用户IP
708   puser = getenv("NAME_OF_KEY");	//获取用户信息
709   pip = getenv("IP_OF_USER");		//获取IP信息
710   if (strlen(line) < SYSLOG_MAXLEN)
711	//修改syslog打印内容
712     syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: IP=%s PID=%d PPID=%d SID=%d  User=%s USER=%s CMD=%s", pip, getpid(), getppid(), getsid(getpid()),  current_user.user_name, puser, line);
713   else
714     {
715       strncpy (trunc, line, SYSLOG_MAXLEN);
716       trunc[SYSLOG_MAXLEN - 1] = '\0';
717       //修改syslog打印内容
718       syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): IP=%s PID=%d  PPID=%d SID=%d User=%s USER=%s CMD=%s", pip, getpid(), getppid(), getsid(getpid()), current_user.user_name,     puser, trunc);
719     }
720 }
721 #endif	

#配置
[root@master bash-4.1]# ./configure --prefix=/usr/local/bash_new
#安装
[root@master bash-4.1]# make && make install

#替换原来的shell文件
[root@master bash-4.1]# echo "/usr/local/bash_new" >> /etc/shells

[root@master bash-4.1]# vim /etc/passwd
root:x:0:0:root:/root:/usr/local/bash_new/bin/bash

#重新登录,随意输入命令

auth-with-publickey-with-nopassword-2

#编写shell脚本,读取NAME_OF_KEY和IP_OF_USER变量
[root@master bash-4.1]# vim /etc/profile.d/checkuser.sh
#!/bin/bash
#conding:utf-8
pid=$PPID
key='/var/log/keys'
ssh_key_fing='/var/log/ssh_key_fing'
#在自己home目录得到所有的key,如果/var/log/keys 没有的时候,添加进去
while read line
do
grep "$line" $key >/dev/null || echo "$line" >> $key
done < $HOME/.ssh/authorized_keys
#得到每个key的指纹
cat $key | while read LINE
do
 NAME=$(echo $LINE | awk '{print $3}')
echo $LINE >/tmp/keys.log.$pid
 KEY=$(ssh-keygen -l -f /tmp/keys.log.$pid | awk '{print $2}')
grep "$KEY $NAME" $ssh_key_fing >/dev/null || echo "$KEY $NAME" >> $ssh_key_fing
done
#如果是root用户,secure文件里面是通过PPID号验证指纹
if [ $UID == 0 ]
then
ppid=$PPID
else
#如果不是root用户,验证指纹的是另外一个进程号
ppid=`/bin/ps -ef | grep $PPID |grep 'sshd:' |awk '{print $3}'`
fi
#得到RSA_KEY和NAME_OF_KEY,用来bash4.1得到历史记录
#RSA_KEY=`/bin/egrep 'Found matching RSA key' /var/log/secure | /bin/egrep "$ppid" | /bin/awk '{print $NF}' | tail -1`
RSA_KEY=`/bin/egrep 'Accepted publickey for' /var/log/secure | /bin/egrep "$ppid" | /bin/awk '{print $NF}' | tail -1`
 if [ -n "$RSA_KEY" ];then
NAME_OF_KEY=`/bin/egrep "$RSA_KEY" /var/log/ssh_key_fing | /bin/awk '{print $NF}'`
fi
#获取IP
IP_OF_USER=`/bin/egrep 'Accepted publickey for' /var/log/secure | /bin/egrep "$ppid" | /bin/awk '{print $11}' | tail -1`
#IP_OF_USER=`/bin/egrep 'Starting session: ' /var/log/secure | /bin/egrep "$ppid" | /bin/awk '{print $14}' | tail -1`
#把NAME_OF_KEY设置为只读
readonly NAME_OF_KEY
export NAME_OF_KEY
readonly IP_OF_USER
export IP_OF_USER
/bin/rm /tmp/keys.log.$pid

#创建两个文件
touch /var/log/keys
touch /var/log/ssh_key_fing

#重新登录,随意输入命令

auth-with-publickey-with-nopassword-2

$template IpTemplate,”/var/log/file/%FROMHOST-IP%.log” . ?IpTemplate & ~

module(load=”imfile” PollingInterval=”5”)         $InputFileName /var/log/nova/nova-compute.log     $InputFileTag nova-info:                
$InputFileStateFile state-nova-info            $InputRunFileMonitor   

systemctl restart rsyslog

0x03.直接使用history脚本

#在/etc/profile.d/里面创建一个shell脚本
[root@master bash-4.1]#vim /etc/profile.d/historylog.sh
#/bin/bash
path='/tmp/history'
USER=`whoami`
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ];then
USER_IP=`hostname`
fi
if [ ! -d $path ];then
mkdir $path
chmod -R 777 $path
fi
if [ ! -d ${path}/${LOGNAME} ];then
mkdir ${path}/${LOGNAME}
chmod 300 ${path}/${LOGNAME}
fi
export HISTSIZE=4096
DT=`date +"%Y%m%d_%H%M%S"`
export HISTFILE="${path}/${LOGNAME}/${USER}@${USER_IP}_history.$DT"
chmod -R 600 ${path}/${LOGNAME}/*history* 2>/dev/null

#授予权限
chomd 777 /etc/profile.d/historylog.sh

#查看日志记录信息

auth-with-publickey-with-nopassword-2

0x04.记录终端显示内容

#centos6以上自带script功能,可以录制操作记录以及回显信息

#记录日志
script 
#使用exit(退出),默认保存typescript

#保存日志(实时保存)
script -f 20180416.log

#追加
script -f -a 20180416.log

#静默模式
script -f -q -a 20180416.log

##使用scriptreplay重复信息
script -t 2>`date"+%Y%m%d".time` -a `date"+%Y%m%d".log` 
scriptreplay `date "+%Y%m%d".time`  `date "+%Y%m%d".log`

0x05.资料来源

https://www.bbsmax.com/A/n2d93qm4JD/
http://www.cnblogs.com/hanyifeng/p/5467521.html
http://haibing.org/?p=64
http://haibing.org/?p=68
GoTop