[PATCH] log all actions by privileged user in bash

[PATCH] log all actions by privileged user in bash

[Steve Grubb]

Hi,

This is a patch to bash 3.2 that depends on audit 1.4 to provide a logging
function. The patch works well in my testing, but I have not finished the
review process with bash upstream maintainers. So it may change, but this
gives you a chance to play along at home. The resulting audit message 
looks like this:

time->Tue Jan 30 18:23:45 2007
type=USER_CMD msg=audit(1170199425.793:143): user pid=22862 uid=0 auid=0
subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023
msg='cwd=2F726F6F742F7465737420646972 cmd=6C73202D6C (terminal=tty1
res=success)'

Which translates to:

type=USER_CMD msg=audit(01/30/2007 18:23:45.793:143) : user pid=22862 uid=root
auid=root subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023
msg='cwd=/root/test dir cmd=ls -l (terminal=tty1 res=success)'

This patch causes bash to log all command line arguments when the shell
is started as aubash or "bash --audit". The preferred methos is to make a
symlink frp, bash to aubash and then add aubash to /etc/shells. Then you
can change root's shell to aubash.

-Steve


diff -urp bash-3.2.orig/config-bot.h bash-3.2/config-bot.h
--- bash-3.2.orig/config-bot.h	2007-01-03 09:01:05.000000000 -0500
+++ bash-3.2/config-bot.h	2007-01-20 11:59:23.000000000 -0500
@@ -97,6 +97,11 @@
 #  define RESTRICTED_SHELL_NAME "rbash"
 #endif
 
+/* If the shell is called by this name, it will become audited. */
+#if defined (AUDIT_SHELL)
+#  define AUDIT_SHELL_NAME "aubash"
+#endif
+
 /***********************************************************/
 /* Make sure feature defines have necessary prerequisites. */
 /***********************************************************/
diff -urp bash-3.2.orig/config.h.in bash-3.2/config.h.in
--- bash-3.2.orig/config.h.in	2007-01-03 09:01:05.000000000 -0500
+++ bash-3.2/config.h.in	2007-01-20 11:59:23.000000000 -0500
@@ -81,6 +81,11 @@
    flag. */
 #undef RESTRICTED_SHELL
 
+/* Define AUDIT_SHELL if you want the generated shell to audit all
+   actions performed by root account.  The shell thus generated can become
+   audited by being run with the name "aubash". */
+#undef AUDIT_SHELL
+
 /* Define DISABLED_BUILTINS if you want "builtin foo" to always run the
    shell builtin "foo", even if it has been disabled with "enable -n foo". */
 #undef DISABLED_BUILTINS
diff -urp bash-3.2.orig/configure.in bash-3.2/configure.in
--- bash-3.2.orig/configure.in	2007-01-03 09:01:05.000000000 -0500
+++ bash-3.2/configure.in	2007-01-20 11:59:23.000000000 -0500
@@ -162,6 +162,7 @@ opt_history=yes
 opt_bang_history=yes
 opt_dirstack=yes
 opt_restricted=yes
+opt_audit=yes
 opt_process_subst=yes
 opt_prompt_decoding=yes
 opt_select=yes
@@ -195,8 +196,8 @@ dnl a minimal configuration turns everyt
 dnl added individually
 if test $opt_minimal_config = yes; then
 	opt_job_control=no opt_alias=no opt_readline=no
-	opt_history=no opt_bang_history=no opt_dirstack=no
-	opt_restricted=no opt_process_subst=no opt_prompt_decoding=no
+	opt_history=no opt_bang_history=no opt_dirstack=no opt_restricted=no
+	opt_audit=no opt_process_subst=no opt_prompt_decoding=no
 	opt_select=no opt_help=no opt_array_variables=no opt_dparen_arith=no
 	opt_brace_expansion=no opt_disabled_builtins=no opt_command_timing=no
 	opt_extended_glob=no opt_cond_command=no opt_arith_for_command=no
@@ -227,6 +228,7 @@ AC_ARG_ENABLE(progcomp, AC_HELP_STRING([
 AC_ARG_ENABLE(prompt-string-decoding, AC_HELP_STRING([--enable-prompt-string-decoding], [turn on escape character decoding in prompts]), opt_prompt_decoding=$enableval)
 AC_ARG_ENABLE(readline, AC_HELP_STRING([--enable-readline], [turn on command line editing]), opt_readline=$enableval)
 AC_ARG_ENABLE(restricted, AC_HELP_STRING([--enable-restricted], [enable a restricted shell]), opt_restricted=$enableval)
+AC_ARG_ENABLE(audit, AC_HELP_STRING([--enable-audit], [enable an audited shell]), opt_audit=$enableval)
 AC_ARG_ENABLE(select, AC_HELP_STRING([--enable-select], [include select command]), opt_select=$enableval)
 AC_ARG_ENABLE(separate-helpfiles, AC_HELP_STRING([--enable-separate-helpfiles], [use external files for help builtin documentation]), opt_separate_help=$enableval)
 AC_ARG_ENABLE(single-help-strings, AC_HELP_STRING([--enable-single-help-strings], [store help documentation as a single string to ease translation]), opt_single_longdoc_strings=$enableval)
@@ -254,6 +256,10 @@ fi
 if test $opt_restricted = yes; then
 AC_DEFINE(RESTRICTED_SHELL)
 fi
+if test $opt_audit = yes; then
+AC_DEFINE(AUDIT_SHELL)
+AUDIT_LIB='-laudit'
+fi
 if test $opt_process_subst = yes; then
 AC_DEFINE(PROCESS_SUBSTITUTION)
 fi
@@ -355,6 +361,8 @@ AC_SUBST(HELPDIRDEFINE)
 AC_SUBST(HELPINSTALL)
 AC_SUBST(HELPSTRINGS)
 
+AC_SUBST(AUDIT_LIB)
+
 echo ""
 echo "Beginning configuration for bash-$BASHVERS-$RELSTATUS for ${host_cpu}-${host_vendor}-${host_os}"
 echo ""
diff -urp bash-3.2.orig/doc/bash.1 bash-3.2/doc/bash.1
--- bash-3.2.orig/doc/bash.1	2007-01-03 09:01:05.000000000 -0500
+++ bash-3.2/doc/bash.1	2007-01-20 11:59:23.000000000 -0500
@@ -155,6 +155,12 @@ single-character options to be recognize
 .PP
 .PD 0
 .TP
+.B \-\-audit
+The shell logs all commands run by the root user (see
+.SM
+.B "AUDIT SHELL"
+below).
+.TP
 .B \-\-debugger
 Arrange for the debugger profile to be executed before the shell
 starts.
@@ -8770,6 +8776,17 @@ turns off any restrictions in the shell 
 script.
 .\" end of rbash.1
 .if \n(zY=1 .ig zY
+.SH "AUDIT SHELL"
+.zY
+.PP
+If
+.B bash
+is started with the name
+.BR aubash ,
+or the
+.B \-\-audit
+option is supplied at invocation, the shell logs all commands issued by the root user to the audit system.
+.if \n(zY=1 .ig zY
 .SH "SEE ALSO"
 .PD 0
 .TP
diff -urp bash-3.2.orig/eval.c bash-3.2/eval.c
--- bash-3.2.orig/eval.c	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/eval.c	2007-01-20 11:59:23.000000000 -0500
@@ -45,6 +45,11 @@
 #  include "bashhist.h"
 #endif
 
+#if defined (AUDIT_SHELL)
+#  include <libaudit.h>
+#  include <errno.h>
+#endif
+
 extern int EOF_reached;
 extern int indirection_level;
 extern int posixly_correct;
@@ -58,6 +63,38 @@ extern int rpm_requires;
 static void send_pwd_to_eterm __P((void));
 static sighandler alrm_catcher __P((int));
 
+#if defined (AUDIT_SHELL)
+static int audit_fd = -1;
+
+static int
+audit_start ()
+{
+  audit_fd = audit_open ();
+  if (audit_fd < 0)
+    return -1;
+  else
+    return 0;
+}
+
+static int
+audit (cmd, result)
+        char *cmd;
+        int result;
+{
+  int rc;
+
+  if (audit_fd < 0)
+    return 0;
+
+  rc = audit_log_user_command (audit_fd, AUDIT_USER_CMD, cmd,
+                               NULL, !result);
+  close (audit_fd);
+  audit_fd = -1;
+  return rc;
+}
+#endif
+
+
 /* Read and execute commands until EOF is reached.  This assumes that
    the input source has already been initialized. */
 int
@@ -145,7 +182,25 @@ reader_loop ()
 
 	      executing = 1;
 	      stdin_redir = 0;
+#if defined (AUDIT_SHELL)
+              if (audited && interactive_shell && getuid () == 0)
+                {
+                  if (audit_start () < 0)
+                    {
+                      if (errno != EINVAL && errno != EPROTONOSUPPORT &&
+                          errno != EAFNOSUPPORT)
+                        return EXECUTION_FAILURE;
+                    }
+                }
+#endif
+
 	      execute_command (current_command);
+#if defined (AUDIT_SHELL)
+              {
+                extern char *shell_input_line;
+                audit (shell_input_line, last_command_exit_value);
+              }
+#endif
 
 	    exec_done:
 	      QUIT;
diff -urp bash-3.2.orig/externs.h bash-3.2/externs.h
--- bash-3.2.orig/externs.h	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/externs.h	2007-01-20 12:05:00.000000000 -0500
@@ -77,6 +77,10 @@ extern int shell_is_restricted __P((char
 extern int maybe_make_restricted __P((char *));
 #endif
 
+#if defined (AUDIT_SHELL)
+extern int maybe_make_audited __P((char *));
+#endif
+
 extern void unset_bash_input __P((int));
 extern void get_current_user_info __P((void));
 
diff -urp bash-3.2.orig/flags.c bash-3.2/flags.c
--- bash-3.2.orig/flags.c	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/flags.c	2007-01-20 11:59:23.000000000 -0500
@@ -142,6 +142,12 @@ int restricted = 0;		/* currently restri
 int restricted_shell = 0;	/* shell was started in restricted mode. */
 #endif /* RESTRICTED_SHELL */
 
+#if defined (AUDIT_SHELL)
+/* Non-zero means that this shell is audited. An audited shell records
+   each command that the root user executes. */
+int audited = 0;		/* shell was started in audit mode. */
+#endif /* AUDIT_SHELL */
+
 /* Non-zero means that this shell is running in `privileged' mode.  This
    is required if the shell is to run setuid.  If the `-p' option is
    not supplied at startup, and the real and effective uids or gids
diff -urp bash-3.2.orig/flags.h bash-3.2/flags.h
--- bash-3.2.orig/flags.h	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/flags.h	2007-01-20 11:59:23.000000000 -0500
@@ -66,6 +66,10 @@ extern int restricted;
 extern int restricted_shell;
 #endif /* RESTRICTED_SHELL */
 
+#if defined (AUDIT_SHELL)
+extern int audited;
+#endif /* AUDIT_SHELL */
+
 extern int *find_flag __P((int));
 extern int change_flag __P((int, int));
 extern char *which_set_flags __P((void));
Only in bash-3.2: .made
diff -urp bash-3.2.orig/Makefile.in bash-3.2/Makefile.in
--- bash-3.2.orig/Makefile.in	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/Makefile.in	2007-01-20 11:59:23.000000000 -0500
@@ -366,6 +366,8 @@ MALLOC_LIBRARY = @MALLOC_LIBRARY@
 MALLOC_LDFLAGS = @MALLOC_LDFLAGS@
 MALLOC_DEP = @MALLOC_DEP@
 
+AUDIT_LIB = @AUDIT_LIB@
+
 ALLOC_HEADERS = $(ALLOC_LIBSRC)/getpagesize.h $(ALLOC_LIBSRC)/shmalloc.h \
 		$(ALLOC_LIBSRC)/imalloc.h $(ALLOC_LIBSRC)/mstats.h \
 		$(ALLOC_LIBSRC)/table.h $(ALLOC_LIBSRC)/watch.h
@@ -386,7 +388,7 @@ BASHINCFILES =	 $(BASHINCDIR)/posixstat.
 		 $(BASHINCDIR)/ocache.h
 
 LIBRARIES = $(SHLIB_LIB) $(READLINE_LIB) $(HISTORY_LIB) $(TERMCAP_LIB) $(GLOB_LIB) \
-	    $(TILDE_LIB) $(MALLOC_LIB) $(INTL_LIB) $(LOCAL_LIBS)
+	    $(TILDE_LIB) $(MALLOC_LIB) $(INTL_LIB) $(LOCAL_LIBS) $(AUDIT_LIB)
 
 LIBDEP = $(SHLIB_DEP) $(INTL_DEP) $(READLINE_DEP) $(HISTORY_DEP) $(TERMCAP_DEP) $(GLOB_DEP) \
 	 $(TILDE_DEP) $(MALLOC_DEP)
diff -urp bash-3.2.orig/parse.y bash-3.2/parse.y
--- bash-3.2.orig/parse.y	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/parse.y	2007-01-20 11:59:23.000000000 -0500
@@ -258,7 +258,7 @@ int need_here_doc;
 
 /* Where shell input comes from.  History expansion is performed on each
    line when the shell is interactive. */
-static char *shell_input_line = (char *)NULL;
+char *shell_input_line = (char *)NULL;
 static int shell_input_line_index;
 static int shell_input_line_size;	/* Amount allocated for shell_input_line. */
 static int shell_input_line_len;	/* strlen (shell_input_line) */
diff -urp bash-3.2.orig/shell.c bash-3.2/shell.c
--- bash-3.2.orig/shell.c	2007-01-03 09:01:06.000000000 -0500
+++ bash-3.2/shell.c	2007-01-20 12:04:23.000000000 -0500
@@ -240,6 +240,9 @@ struct {
 #if defined (RESTRICTED_SHELL)
   { "restricted", Int, &restricted, (char **)0x0 },
 #endif
+#if defined (AUDIT_SHELL)
+  { "audit", Int, &audited, (char **)0x0 },
+#endif
   { "verbose", Int, &echo_input_at_read, (char **)0x0 },
   { "version", Int, &do_version, (char **)0x0 },
   { "wordexp", Int, &wordexp_only, (char **)0x0 },
@@ -644,6 +647,10 @@ main (argc, argv, env)
     maybe_make_restricted (shell_name);
 #endif /* RESTRICTED_SHELL */
 
+#if defined (AUDIT_SHELL)
+    maybe_make_audited (shell_name);
+#endif
+
   if (wordexp_only)
     {
       startup_state = 3;
@@ -1143,6 +1150,29 @@ maybe_make_restricted (name)
 }
 #endif /* RESTRICTED_SHELL */
 
+#if defined (AUDIT_SHELL)
+/* Perhaps make this shell an `audited' one, based on NAME.  If the
+   basename of NAME is "aubash", then this shell is audited.  The
+   name of the audited shell is a configurable option, see config.h.
+   In an audited shell, all actions performed by root will be logged
+   to the audit system.
+   Do this also if `audited' is already set to 1 maybe the shell was
+   started with --audit. */
+int
+maybe_make_audited (name)
+     char *name;
+{
+  char *temp;
+
+  temp = base_pathname (name);
+  if (*temp == '-')
+    temp++;
+  if (audited || (STREQ (temp, AUDIT_SHELL_NAME)))
+    audited = 1;
+  return (audited);
+}
+#endif /* AUDIT_SHELL */
+
 /* Fetch the current set of uids and gids and return 1 if we're running
    setuid or setgid. */
 static int

Re: [PATCH] log all actions by privileged user in bash

[Valdis.Kletnieks]

[-- Attachment #1.1: Type: text/plain, Size: 1497 bytes --]

On Sun, 04 Feb 2007 19:54:25 EST, Steve Grubb said:
> Hi,

>  	      execute_command (current_command);
> +#if defined (AUDIT_SHELL)
> +              {
> +                extern char *shell_input_line;
> +                audit (shell_input_line, last_command_exit_value);
> +              }
> +#endif

Umm.. audit *before* exec, in case the command is 'nuke_audit --force'? ;)

For the rest, feel free to clue-by-four me if I'm talking out some orifice
other than my mouth.. ;)

It's not clear that this can't be bypassed by (for instance), doing
something evil like this:

PS1="Normal prompt except for `exec_evilness_here`"

Looks like the shell completion could be fun too:

       edit-and-execute-command (C-xC-e)
              Invoke  an  editor  on the current command line, and execute the
              result as shell commands.   Bash  attempts  to  invoke  $FCEDIT,
              $EDITOR, and emacs as the editor, in that order.

(I haven't checked the source - the execute_command() function may in fact
get called for these cases.  If so, you probably need to document that some
output may be created even if the user isn't actually submitting a command,
so care needs to be used when correlating to actual terminal activity).

And given that 'cat > /tmp/evil; chmod +x /tmp/evil; /tmp/evil' and
'evilscript | /bin/sh' will work, about all this audit trail will show is
that *something* unusual happened - an attacker wouldn't have much trouble
disguising exactly *what* was done....

[-- Attachment #1.2: Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: [PATCH] log all actions by privileged user in bash

[Steve Grubb]

On Tuesday 06 February 2007 15:15, Valdis.Kletnieks@vt.edu wrote:
> On Sun, 04 Feb 2007 19:54:25 EST, Steve Grubb said:
> > Hi,
> >
> >  	      execute_command (current_command);
> > +#if defined (AUDIT_SHELL)
> > +              {
> > +                extern char *shell_input_line;
> > +                audit (shell_input_line, last_command_exit_value);
> > +              }
> > +#endif
>
> Umm.. audit *before* exec, in case the command is 'nuke_audit --force'? ;)

There are security targets that say that they want the success/fail 
indication. So, to satisfy that, I have to use post-command auditing. If they 
did nuke the audit system, that would get recorded. They either do 
auditctl -e 0 which results in an event, or they killall -s KILL auditd, 
which that produces something in syslog.

> It's not clear that this can't be bypassed by (for instance), doing
> something evil like this

auditing root wasn't intended to be bullet proof. If you do not trust the 
admin, the audit system will not save you. They could "rpm -e audit" 
or "ifdown eth0" and stop remote logging. SE Linux might help keep a 
potentially bad admin between the ditches. But even with SE Linux they could 
easily do rpm -e audit.

> PS1="Normal prompt except for `exec_evilness_here`"

Setting this should get recorded, and edit of .bashrc should get recorded if 
they put it there. They could also edit a script, run the script, delete the 
script as well.

> Looks like the shell completion could be fun too:
>
>        edit-and-execute-command (C-xC-e)
>               Invoke  an  editor  on the current command line, and execute
> the result as shell commands.   Bash  attempts  to  invoke  $FCEDIT,
> $EDITOR, and emacs as the editor, in that order.

I'm thinking the resulting command gets recorded.

> (I haven't checked the source - the execute_command() function may in fact
> get called for these cases.  If so, you probably need to document that some
> output may be created even if the user isn't actually submitting a command,
> so care needs to be used when correlating to actual terminal activity).

I haven't seen any case where something hit the logs that wasn't supposed to 
be there.

> And given that 'cat > /tmp/evil; chmod +x /tmp/evil; /tmp/evil' and
> 'evilscript | /bin/sh' will work, about all this audit trail will show is
> that *something* unusual happened - an attacker wouldn't have much trouble
> disguising exactly *what* was done....

True. I think that's all you *can* do. At the same time, I want to harden it 
if anyone sees a weakness that can be fixed.

-Steve

Re: [PATCH] log all actions by privileged user in bash

[Valdis.Kletnieks]

[-- Attachment #1.1: Type: text/plain, Size: 3371 bytes --]

On Tue, 06 Feb 2007 15:50:20 EST, Steve Grubb said:
> On Tuesday 06 February 2007 15:15, Valdis.Kletnieks@vt.edu wrote:
> > Umm.. audit *before* exec, in case the command is 'nuke_audit --force'? ;)
>
> There are security targets that say that they want the success/fail
> indication. So, to satisfy that, I have to use post-command auditing. If they
> did nuke the audit system, that would get recorded. They either do
> auditctl -e 0 which results in an event, or they killall -s KILL auditd,
> which that produces something in syslog.

What happens if the command is 'exec /bin/bash' (or suitable other command
that makes sure that exec_command doesn't return?)  (If your code is currently
logging shell builtins like 'cd', then it's logging at a point in the code
where 'exec' will never come back...)

> Setting this should get recorded, and edit of .bashrc should get recorded if 
> they put it there. They could also edit a script, run the script, delete the 
> script as well.

That's assuming they *say* 'vi .bashrc', and don't say 'vi /tmp/innocent' and
then use :r and :w inside vi.  Or just use :sh to get themselves a non-audited
shell.

I'm sorry, but this is just too easy to bypass to count as serious auditing.
It probably *is* a help for answering "Geez George, what *was* that splendiferous
typo that adgered the Oracle server?", but hardly a speed bump for a clued
attacker.

> > Looks like the shell completion could be fun too:
> >
> >        edit-and-execute-command (C-xC-e)
> >               Invoke  an  editor  on the current command line, and execute
> > the result as shell commands.   Bash  attempts  to  invoke  $FCEDIT,
> > $EDITOR, and emacs as the editor, in that order.
> 
> I'm thinking the resulting command gets recorded.

OK, so we're recording something other than "the stream of commands actually
issued by the user", but also doing some things issued *on behalf of* said user.

> > (I haven't checked the source - the execute_command() function may in fact
> > get called for these cases.  If so, you probably need to document that some
> > output may be created even if the user isn't actually submitting a command,
> > so care needs to be used when correlating to actual terminal activity).
> 
> I haven't seen any case where something hit the logs that wasn't supposed to 
> be there.

For both of the above two, I meant that you'd need to document the fact that
(for instance) shell prompts and command editing could result in the logging of
commands never actually directly issued. (Ever been amazed when you tried to do
something like 'awk <magic> | sh -v' and it promptly dutifully traces your
startup script because $BASH_ENV was set? Similar issue here)

> > And given that 'cat > /tmp/evil; chmod +x /tmp/evil; /tmp/evil' and
> > 'evilscript | /bin/sh' will work, about all this audit trail will show is
> > that *something* unusual happened - an attacker wouldn't have much trouble
> > disguising exactly *what* was done....
> 
> True. I think that's all you *can* do. At the same time, I want to harden it 
> if anyone sees a weakness that can be fixed.

I dunno.  I can think of enough ways to bypass it that I have a hard time
convincing myself that it has any hope of making an auditor happy.  Is this
doing a *real* job of auditing any better than just doing this:

readonly HISTFILE=/dev/udp/syslog.server/514




[-- Attachment #1.2: Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: [PATCH] log all actions by privileged user in bash

[Steve Grubb]

On Tuesday 06 February 2007 18:21:06 Valdis.Kletnieks@vt.edu wrote:
> I can think of enough ways to bypass it that I have a hard time
> convincing myself that it has any hope of making an auditor happy.

You raised a lot of really good points. I haven't forgotten this patch, I will 
revisit it again soon after I get some new audit features finished.

Thanks,
-Steve