From 146ab5dbedfc1116df86ac4fc77fe1a37cb272f5 Mon Sep 17 00:00:00 2001 From: Trevor Vaughan Date: Tue, 17 Jul 2018 12:25:53 -0400 Subject: [PATCH 1/2] Add sample profile hooks for people to use Users should be able to have tlog automatically log sessions when they access a system. These scripts provide a sample for users to work from and/or include in automation scripts as they see fit. --- README.md | 20 +++++++++++++++ doc/profile.d/tlog.csh | 55 ++++++++++++++++++++++++++++++++++++++++++ doc/profile.d/tlog.sh | 52 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 127 insertions(+) create mode 100644 doc/profile.d/tlog.csh create mode 100644 doc/profile.d/tlog.sh diff --git a/README.md b/README.md index 1494be3c..b00aeeb2 100644 --- a/README.md +++ b/README.md @@ -231,6 +231,26 @@ Customize `tlog-rec-session` configuration in `/etc/tlog/tlog-rec-session.conf` as necessary (see `tlog-rec-session.conf(5)` for details). +#### Automatically recording login sessions for users + +Sample scripts have been made available in `/usr/share/doc/tlog/profile.d` that +provide an automatic method for recording sessions from users or groups +specified in `/etc/security/tlog.users`. + +To use these scripts, simply copy them into `/etc/profile.d`. + +A valid `tlog.users` file might look like the following: + +``` +# Log all actions by the 'root' user +root + +# Log all actions by anyone in the 'admins' group +%admins +``` + +Note: Whitespace is **not** ignored. + #### Locale configuration issue on Fedora and RHEL Fedora and RHEL (and some other distros) use an approach for configuring diff --git a/doc/profile.d/tlog.csh b/doc/profile.d/tlog.csh new file mode 100644 index 00000000..72bdebec --- /dev/null +++ b/doc/profile.d/tlog.csh @@ -0,0 +1,55 @@ +# Place this script in /etc/profile.d to automatically hook any login or +# interactive shell into tlog for a user or group listed in +# /etc/security/tlog.users +# +# Entries in tlog.users should be listed one per line where users are bare +# words such as `root` and groups are prefixed with a percent sign such as +# `%root`. +# +# Copyright 2018 Trevor Vaughan - Onyx Point, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +set TLOG_USERS="/etc/security/tlog.users" + +if ( -f "$TLOG_USERS" ) then + if ( ! ($?TLOG_RUNNING) ) then + + set D='$' + set PATTERN="^(%$GROUP|$USER)$D" + set MATCH=`grep -E "$PATTERN" "$TLOG_USERS"` + + if ( "$MATCH" != "" ) then + setenv TLOG_RUNNING true + + setenv TLOG_REC_SESSION_SHELL $SHELL + + set CMD="/usr/bin/tlog-rec-session" + + set PATTERN='-c .\+' + set PASSTHROUGH_CMD=`ps --no-headers -o args $$ | grep -oe "$PATTERN"` + + if ($?prompt || $?loginsh) then + set CMD="$CMD -l" + endif + + if ( "$PASSTHROUGH_CMD" != "" ) then + set CMD="$CMD $PASSTHROUGH_CMD" + else + set CMD="exec $CMD" + endif + + $CMD + endif + endif +endif diff --git a/doc/profile.d/tlog.sh b/doc/profile.d/tlog.sh new file mode 100644 index 00000000..f454adc8 --- /dev/null +++ b/doc/profile.d/tlog.sh @@ -0,0 +1,52 @@ +# Place this script in /etc/profile.d to automatically hook any login or +# interactive shell into tlog for a user or group listed in +# /etc/security/tlog.users +# +# Entries in tlog.users should be listed one per line where users are bare +# words such as `root` and groups are prefixed with a percent sign such as +# `%root`. +# +# Copyright 2018 Trevor Vaughan - Onyx Point, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +TLOG_USERS="/etc/security/tlog.users" + +if [ -f "${TLOG_USERS}" ]; then + if [ -z "$TLOG_RUNNING" ]; then + MATCH=`grep -E "^(%${GROUP}|${USER})$" "${TLOG_USERS}"` + + if [ -n "$MATCH" ]; then + export TLOG_RUNNING=true + readonly TLOG_RUNNING + + TLOG_REC_SESSION_SHELL=$SHELL + + CMD="/usr/bin/tlog-rec-session" + + PASSTHROUGH_CMD=`ps --no-headers -o args $$ | grep -oe "-c .\+"` + + if [[ $- == *i* ]] || `shopt -q login_shell`; then + CMD="$CMD -l" + fi + + if [ -n "$PASSTHROUGH_CMD" ]; then + CMD="$CMD $PASSTHROUGH_CMD" + else + CMD="exec $CMD" + fi + + $CMD + fi + fi +fi From 797cb1e807f66064751a0be75f4091e6f37e461c Mon Sep 17 00:00:00 2001 From: Trevor Vaughan Date: Wed, 25 Jul 2018 11:48:28 -0400 Subject: [PATCH 2/2] Fixed issues with EL6 and simplified scripts --- doc/profile.d/tlog.csh | 27 +++++++++++---------------- doc/profile.d/tlog.sh | 38 ++++++++++++++++++++++---------------- 2 files changed, 33 insertions(+), 32 deletions(-) diff --git a/doc/profile.d/tlog.csh b/doc/profile.d/tlog.csh index 72bdebec..9a9af3e0 100644 --- a/doc/profile.d/tlog.csh +++ b/doc/profile.d/tlog.csh @@ -21,35 +21,30 @@ # limitations under the License. # set TLOG_USERS="/etc/security/tlog.users" +set TLOG_CMD="/usr/bin/tlog-rec-session" if ( -f "$TLOG_USERS" ) then if ( ! ($?TLOG_RUNNING) ) then - set D='$' - set PATTERN="^(%$GROUP|$USER)$D" - set MATCH=`grep -E "$PATTERN" "$TLOG_USERS"` + set TLOG_D='$' + set TLOG_PATTERN="^(%$GROUP|$USER)$TLOG_D" + set TLOG_MATCH=`grep -E "$TLOG_PATTERN" "$TLOG_USERS"` - if ( "$MATCH" != "" ) then + if ( "$TLOG_MATCH" != "" ) then setenv TLOG_RUNNING true setenv TLOG_REC_SESSION_SHELL $SHELL - set CMD="/usr/bin/tlog-rec-session" - - set PATTERN='-c .\+' - set PASSTHROUGH_CMD=`ps --no-headers -o args $$ | grep -oe "$PATTERN"` - if ($?prompt || $?loginsh) then - set CMD="$CMD -l" + set TLOG_CMD="$TLOG_CMD -l" endif - if ( "$PASSTHROUGH_CMD" != "" ) then - set CMD="$CMD $PASSTHROUGH_CMD" - else - set CMD="exec $CMD" - endif + set TLOG_PATTERN='-c[[:space:]]\+.\+' + set TLOG_PASSTHROUGH_CMD=`ps --no-headers -o args $$ | grep -oe "$TLOG_PATTERN"` - $CMD + if ( "$TLOG_PASSTHROUGH_CMD" == "" ) then + exec $TLOG_CMD + endif endif endif endif diff --git a/doc/profile.d/tlog.sh b/doc/profile.d/tlog.sh index f454adc8..a53697c9 100644 --- a/doc/profile.d/tlog.sh +++ b/doc/profile.d/tlog.sh @@ -21,32 +21,38 @@ # limitations under the License. # TLOG_USERS="/etc/security/tlog.users" +TLOG_CMD="/usr/bin/tlog-rec-session" -if [ -f "${TLOG_USERS}" ]; then - if [ -z "$TLOG_RUNNING" ]; then - MATCH=`grep -E "^(%${GROUP}|${USER})$" "${TLOG_USERS}"` +tlog_parent(){ + retval=1 - if [ -n "$MATCH" ]; then - export TLOG_RUNNING=true - readonly TLOG_RUNNING + ppid=`ps --no-headers -o ppid $1` - TLOG_REC_SESSION_SHELL=$SHELL + if [ $ppid -gt 1 ]; then + if `ps --no-headers -o ppid,args $1 | grep -q 'tlog-rec-session'`; then + return 0 + else + tlog_parent $ppid + retval=$? + fi - CMD="/usr/bin/tlog-rec-session" + fi - PASSTHROUGH_CMD=`ps --no-headers -o args $$ | grep -oe "-c .\+"` + return $retval +} +if [ -f "${TLOG_USERS}" ]; then + if ! `tlog_parent $PPID`; then + if `grep -qE "^(%${GROUP}|${USER})$" "${TLOG_USERS}"`; then if [[ $- == *i* ]] || `shopt -q login_shell`; then - CMD="$CMD -l" + TLOG_CMD="${TLOG_CMD} -l" fi - if [ -n "$PASSTHROUGH_CMD" ]; then - CMD="$CMD $PASSTHROUGH_CMD" - else - CMD="exec $CMD" - fi + if ! `ps --no-headers -o args $$ | grep -qe "-c[[:space:]]\+.\+"`; then + TLOG_REC_SESSION_SHELL=$SHELL - $CMD + exec $TLOG_CMD + fi fi fi fi