Re: Get cmd name out of bash

[David Smith <dsmith at redhat dot com>]

Philipp Michael wrote:
> Hi, so i`m trying to set up a kind of a keylogger. the script should only log the
> executed inputs in the bash, like ls, ..... not the results. Because of a
> centralized logging stucture i want to save this commandlog file on a
syslog-ng
> server. To import the commands from the script to the syslog daemon i
wanted to
> use a named pipe.

OK.

> At the moment i use the Fedora 9 Live CD from the systemtap site running as a vm.
>  Kernel 2.6.25.3-18.fc9.i686, Systemtap 0.6.2/0.133. But this is only
for testing.
> Later on the skript should run on different SuSE Enterprise Linux 10.x
and RHEL 3,
> 4, 5 Distributions... Will i get a problem running different kernel
version ?

Assuming you use systemtap, you might end up checking kernel versions in
your script since you are trying to support such a wide variety of kernels.

>> There are more problems here though.  First, the process.stp tapset is deprecated
>> and is most likely going away.  Second, I'm not sure systemtap is
really the tool
>> for what you appear to be trying to do.  I think what you really
might want to do
>> hear is enable the kernel's auditing facility, which is already set
up to do exec
>> auditing.
> 
>> If you want to pursue this further, I'd need a better description of what you are
>> really trying to do.
> 
> So what do you mean with kernel exec auditing? the auditd Deamon? 

Yes.  The auditd daemon is the user-side of the kernel's auditing
facility.  Note that I've never actually done this, but I did find a
blog posting that seems to give reasonable instructions:

<http://tarantule.blogspot.com/2008/05/auditd-configuration-on-linux-to-track.html>

-- 
David Smith
dsmith@redhat.com
Red Hat
http://www.redhat.com
256.217.0141 (direct)
256.837.0057 (fax)