syslog(3) interface to
syslogd(8).
Since you are looking at an escalated process, you must use one of
a few ways to get that process escalation to happen: a
login as the target user,
a su or sudo to
the target login, an op command to run a
specific program or MAGIC_SHELL, or
a super, sud, or
pfexec to the login, or lastly your
own setuid program.
In all those cases it is possible to force snoopy.so
into the LD_PRELOAD environment variable before
the shell starts. This lets snoopy log each
process created as it execve's a target
application. In general this is enough to pass an audit.
snoopy.so workssnoopy.so) traps the
system calls that execute a new binary after a process
fork's a child. It logs the argument
vector and path to the binary, then a credential tag for the escalated session.
These two lines allow an audit trail to be constructed for every
active escalated session. Once the preload is installed in a
running process, all child processes will also see the preload environment,
even is the process removes it from environ.
This is easier with op, sudo,
or super. It is harder with a raw login,
unless your system has login.conf or the like.
Under op's configuration structure just force
the environment variable as an attribute of the rule:
mysql MAGIC_SHELL ; groups=^wheel$,^dba$ uid=mysql gid=dba initgroups=mysql $SHELL $TERM $TERMCAP ... $LD_PRELOAD=/usr/local/lib/snoopy.so
For sudo, in sudoers point
env_file to a file that contains
the correct setting for your site.
For suprt, in super.tab use
something like:
setenv=LD_PRELOAD=/usr/local/lib/snoopy.so
authlog.info. Configure
syslogd to log this to a secure machine, and possibly
locally. Then you have 2 copies which must both be compromised to erase
any actions.
Here is an example trace session:
ksb$ LD_PRELOAD=/usr/local/lib/snoopy.so ksh -i $ id -u 11517 $ sync $ sync $ uptime 11:49AM up 377 days, 21:55, 34 users, load averages: 0.02, 0.08, 0.34 $ exit
And here is the trace log from that session:
The trace shows the new process's parent pid, uid, session-id, tty, and current working directory. Then the path to the new command (prefixed with aOct 30 11:49:05 svr6 snoopy[74689]: ppid=74688 uid=11517 sid=50755 tty=/dev/ttyp9 cwd=/home/sac1/ksb Oct 30 11:49:05 svr6 snoopy[74689]: +/usr/bin/id id -u Oct 30 11:49:09 svr6 snoopy[74691]: ppid=74688 uid=11517 sid=50755 tty=/dev/ttyp9 cwd=/home/sac1/ksb Oct 30 11:49:09 svr6 snoopy[74691]: +/bin/sync sync Oct 30 11:49:12 svr6 snoopy[74737]: ppid=74688 uid=11517 sid=50755 tty=/dev/ttyp9 cwd=/home/sac1/ksb Oct 30 11:49:12 svr6 snoopy[74737]: +/bin/sync sync Oct 30 11:49:16 svr6 snoopy[74744]: ppid=74688 uid=11517 sid=50755 tty=/dev/ttyp9 cwd=/home/sac1/ksb Oct 30 11:49:16 svr6 snoopy[74744]: +/usr/bin/uptime uptime
+, *, or
! and all the arguments.
+
*
!
setuid or
setgid, which may prevent the preload from
tracing beyond process
setuid (setgid) program
newgrp. Which won't allow the
LD_PRELOAD to pass to the new shell.
snoopy.so file
LD_PRELOAD
op HTML document.
$Id: snoopy.html,v 1.2 2012/10/30 23:07:48 ksb Exp $