ssh honeypot auditing
Posted Mon, 31 Dec 2007
#!/bin/bash d="$(date "+%Y%m%d-%H%M%S")" logfile="/var/log/traps/$d" env > $logfile echo "Args: $*" >> $logfile export SHELL=/bin/bash script -c "$SHELL $*" -q -a $logfileThis will log the env vars in addition to the arguments passed to the shell. Thus far, I've see 2 patterns of environment variables.
This new version supports arguments, so that things like 'ssh [email protected] somecommand' works. The next step is probably to have a setuid program chown the logfile to root shortly after script(1) starts, so that you can't remove your own log. I'll only bother with that if it's necessary.
In addition to the shell change, I started looking into the audit facility in Linux. I want to log all command execution, in case my script(1) idea fails. To do this, I added these rules with auditctl:
auditctl -a exit,always -F uid=60000 -S open auditctl -a exit,always -F uid=60000 -S execve auditctl -a exit,always -F uid=60000 -S vfork auditctl -a exit,always -F uid=60000 -S fork auditctl -a exit,always -F uid=60000 -S cloneI'm not entirely sure if this will specifically catch the execs I'm looking for, but it does seem to work:
% ausearch -sc execve | grep EXECVE type=EXECVE msg=audit(1199138086.041:3293): a0="/bin/bash" a1="-c" a2="uptime"- type=EXECVE msg=audit(1199138086.056:3300): a0="uptime"-