Re: [PATCH] log all actions by privileged user in bash

On Sun, 04 Feb 2007 19:54:25 EST, Steve Grubb said: Umm.. audit *before* exec, in case the command is 'nuke_audit --force'? ;) For the rest, feel free to clue-by-four me if I'm talking out some orifice other than my mouth.. ;) It's not clear that this can't be bypassed by (for instance), doing something evil like this: PS1="Normal prompt except for `exec_evilness_here`" Looks like the shell completion could be fun too: edit-and-execute-command (C-xC-e) Invoke an editor on the current command line, and execute the result as shell commands. Bash attempts to invoke $FCEDIT, $EDITOR, and emacs as the editor, in that order. (I haven't checked the source - the execute_command() function may in fact get called for these cases. If so, you probably need to document that some output may be created even if the user isn't actually submitting a command, so care needs to be used when correlating to actual terminal activity). And given that 'cat > /tmp/evil; chmod +x /tmp/evil; /tmp/evil' and 'evilscript | /bin/sh' will work, about all this audit trail will show is that *something* unusual happened - an attacker wouldn't have much trouble disguising exactly *what* was done....