Difference between revisions of "Ssh audit bashrc"

Yes, you absolutely can log all commands for a specific user inside an LXD container without giving it privileged access.

The best way to do this is by modifying the user's shell configuration files within the container. This approach doesn't require any special container privileges because it operates at the user and shell level, not the kernel level like auditd.

Using the User's .bashrc File

This method involves adding a logging command to the specific user's ~/.bashrc file. Every time that user opens a new terminal or runs a command, it will be logged.

Here are the steps to follow inside the LXD container:

1. Access the Container Shell First, get a shell inside the container you want to monitor.

   lxc exec your-container-name -- bash
   

2. Switch to the Target User If you are not already logged in as the user you want to monitor, switch to that user. Let's say the user is named testuser.

   su - testuser
   

3. Edit the .bashrc File Open the user's .bashrc file with a text editor like nano.

   nano ~/.bashrc
   

4. Add the Logging Command Scroll to the very end of the file and add the following line. This command uses PROMPT_COMMAND to execute the logger utility before each new command prompt is displayed.

   export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.info "USER: $(whoami) PWD: $(pwd) CMD: $(history 1 | sed "s/^[ ]*[0-9]\+  //" )"'
   

   This line will log the username, their current directory, and the command they just ran.
5. Configure Log Storage (as root) You'll need to tell the system where to store these logs. Exit from the user's session (exit) to return to your root shell within the container. Create a new configuration file for rsyslog:

   nano /etc/rsyslog.d/50-user-commands.conf
   

   Add the following line to this new file. This tells rsyslog to send any logs from the local6 facility to a specific file.

   local6.* /var/log/user_commands.log
   

6. Restart rsyslog Apply the changes by restarting the rsyslog service.

   systemctl restart rsyslog
   

How It Works and How to View Logs

From now on, whenever testuser executes a command, it will be automatically logged to /var/log/user_commands.log inside the container.

To see the logs in real-time, you can use the tail command from within the container's root shell:

tail -f /var/log/user_commands.log

The output will look something like this:

Oct 17 12:18:01 container-name testuser: USER: testuser PWD: /home/testuser CMD: ls -l
Oct 17 12:18:05 container-name testuser: USER: testuser PWD: /home/testuser CMD: cd /tmp
Oct 17 12:18:09 container-name testuser: USER: testuser PWD: /tmp CMD: echo "hello world"

Important Considerations ⚠️

• Bypassable: A knowledgeable user could potentially bypass this logging by editing their own .bashrc file, using a different shell, or manually unsetting the PROMPT_COMMAND variable.
• Bash Specific: This method works for the bash shell. If the user uses a different shell like zsh, you would need to modify the corresponding configuration file (e.g., ~/.zshrc).