add support for logging shell session data to syslog

squash / sudosh2

sudosh is an auditing shell filter and can be used as a login shell. Sudosh records all keystrokes and output and can play back the session as just like a VCR. Sudosh2 is a continuation of the development of sudosh.

Other

83 stars 28 forks source link

add support for logging shell session data to syslog #49

Open wschlich opened 6 months ago

wschlich commented 6 months ago

The following statement is written in the project README.md:

sudosh2 does not log sessions to syslog. If you need to consolidate session logs to a single location, logging them to a network filesystem is currently the recommended option.

This doesn't seem to make too much sense to me.

If an attacker can gain root privileges, he can probably just wipe these log files easily.

If sudosh2 could log to syslog which in turn could log remotely to an syslog server, these logs could not be wiped by an attacker.

wschlich commented 6 months ago

A currently usable workaround for this problem could be to log session data to a local file using sudosh2 and having rsyslog slurp in this file using imfile, maybe: https://www.rsyslog.com/doc/configuration/modules/imfile.html

squash commented 6 months ago

Syslog messages specifically aren't a great fit for several reasons (including that the files aren't ascii text and would need to be bas64 encoded or similar). I'm always open to PRs but we've been in maintenance mode, since 2010 primarily fixing bugs and compatibility issues and I exited the enterprise sysadmin scene not long after.

A ground-up rewrite would be a prerequisite for me to add significant features.