Closed ghost closed 7 years ago
johnebgood
commented
7 years ago I would think that in the perl script you could check to see if a user is logged in to the corresponding tty where the command is executed, is this what you're looking for?
ghost
commented
7 years ago Yep I was thinking about that a few minutes ago. But the point is the script is a logon script, executed when the user comes on the server ... and in fact it's executed by the user. So it's the same tty, same ppid, etc ...
ghost
commented
7 years ago Basically, it would be awesome if auditd could not track the commands executed in a script ... maybe I'm dreaming but it would be what I need to do ;-)
mtkirby
commented
7 years ago Yup, you are correct. Unfortunately, that is not something we can do with the audit system. I've read that some admins use Bash's PROMPT_COMMAND variable to send shell history to a syslog server in real-time, but that can be easily defeated if the user wishes to hide.
On Wed, Nov 30, 2016 at 12:40 PM, Xavier notifications@github.com wrote:
Basically, it would be awesome if auditd could not track the commands executed in a script ... maybe I'm dreaming but it would be what I need to do ;-)
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mtkirby/audisp-simplify/issues/2#issuecomment-263956837, or mute the thread https://github.com/notifications/unsubscribe-auth/AM7vlDTbTvwL7Tr6le95UhypKJS_wJRcks5rDcMBgaJpZM4LAf6F .
Hi! Wonderful job ;) I have a question about log all the commands ... do you think it's possible to log only the commands executed by a human in the shell and not the commands executed by a script (even if it's the human who run the script ...) ?