All geek questions in one place

Homework: how can I register processes for audit using the bash shell?

I am very new to Linux and regret new questions. I had a question about an additional loan, which I tried to make, but could not get it.

Q. Write a protective shell script that logs the following information for each process: User ID, start time, time completed (0 if the process is still running), whether this process tried to access the protected file (saved as yes or no) Created the log is called process_security_log, where each of the above pieces of information is stored on a separate line, and each record follows immediately (that is, there are no empty lines). Write a shell script that will check this log and display the user ID of any process that is still running that tried to access the protected file.

I started by trying to just capture the user and repeat it, but failed.

output=`ps -ef | grep [*]` set -- $output User=$1 echo $User
+6
source share
3 answers

The ps output is insufficient and unable to produce the data required on this issue.

You need something like auditd, SELinux, or straight up to crack the kernel (i.e. fork.c) to do something remotely in the security logging area.

Update

Others suggested using logging for commands, ps and friends (proc or sysfs). They can be useful and have their place (obviously). I would say that they should not be relied upon for this purpose, especially in the context of education.

... whether the process tried to access the protected file (saved as yes or no)

It seems the one that the other answers are ignoring. I support my original answer, but as Daniel points out, there are other interesting ways to decorate this data.

For educational exercises, these tools will help you get a more complete answer.

+1
source

Since this is homework, I assume that the script is not a real script and is just an exercise for learning. A shell is not a suitable place to conduct a security audit or process accounting . However, here are a few pointers that can help you find out what you can do on the command line.

  • You can set bash PROMPT_COMMAND to log the process.
  • You can tail or grep use your command history to use during registration.
  • You can use /usr/bin/script (usually found in the bsdutils package) to create typescript of your session.
  • You can run ps in a loop using subnets or the watch utility to find out which processes are currently running.
  • You can use pidof or pgrep to find processes more easily.
  • You can modify your .bashrc or other shell startup file to set up your environment or run logging tools.

As a starting point, you can start with something trivial:

 $ export PROMPT_COMMAND='history | tail -n1' 56 export PROMPT_COMMAND='history | tail -n1' $ ls /etc/passwd /etc/passwd 57 ls /etc/passwd

and create any additional registration data or process information that is deemed necessary. Hope you pointed in the right direction!

0
source

Take a look at the / proc pseudo file system .

Inside this there is a subdirectory for each running process - the [pid] process has its information available in / proc / [pid] /. Inside this directory, you can use / prod / [pid] / stat / or / proc / [pid] / status to get information about which user started the process and when.

I'm not sure if assignment means "protected file", but if you have a way to determine which files are safe, you get information about open files (including their names) through / prod / [pid] / fd / and / prod / [pid] / fdinfo.

Is / proc sufficient for true security logging? No, but / proc is enough to get information about which processes are currently running on the system, which is probably necessary for homework about shell scripts. Also, outside this class, you will probably find / proc useful later for other purposes, such as viewing the displayed pages for a process. This can come in handy if you are writing a stack trace utility or want to know how they work, or if you are debugging code that uses memory mapped files.

0
source

Source: https://habr.com/ru/post/914674/

More articles:


All Articles