This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: Get cmd name out of bash
- From: David Smith <dsmith at redhat dot com>
- To: Philipp Michael <Philipp dot Michael at gmx dot net>
- Cc: systemtap at sources dot redhat dot com
- Date: Tue, 19 Aug 2008 08:31:16 -0500
- Subject: Re: Get cmd name out of bash
- References: <20080819073221.108060@gmx.net>
Philipp Michael wrote:
> Hi, so i`m trying to set up a kind of a keylogger. the script should only log the
> executed inputs in the bash, like ls, ..... not the results. Because of a
> centralized logging stucture i want to save this commandlog file on a
syslog-ng
> server. To import the commands from the script to the syslog daemon i
wanted to
> use a named pipe.
OK.
> At the moment i use the Fedora 9 Live CD from the systemtap site running as a vm.
> Kernel 2.6.25.3-18.fc9.i686, Systemtap 0.6.2/0.133. But this is only
for testing.
> Later on the skript should run on different SuSE Enterprise Linux 10.x
and RHEL 3,
> 4, 5 Distributions... Will i get a problem running different kernel
version ?
Assuming you use systemtap, you might end up checking kernel versions in
your script since you are trying to support such a wide variety of kernels.
>> There are more problems here though. First, the process.stp tapset is deprecated
>> and is most likely going away. Second, I'm not sure systemtap is
really the tool
>> for what you appear to be trying to do. I think what you really
might want to do
>> hear is enable the kernel's auditing facility, which is already set
up to do exec
>> auditing.
>
>> If you want to pursue this further, I'd need a better description of what you are
>> really trying to do.
>
> So what do you mean with kernel exec auditing? the auditd Deamon?
Yes. The auditd daemon is the user-side of the kernel's auditing
facility. Note that I've never actually done this, but I did find a
blog posting that seems to give reasonable instructions:
<http://tarantule.blogspot.com/2008/05/auditd-configuration-on-linux-to-track.html>
--
David Smith
dsmith@redhat.com
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)