shlog.c is a small program that will do getpeername on its input descriptor, and log a remote host, if it is invoked via a remote session, along with uid/gid to syslog. can be used as additional logging tool for login shells (by putting it into the system profile).
b17d771cbd59596955397a3bab80a2ce/*
* shlog.c (c) Mixter
* FIXED Version (thanks to scagneti@chisel.toolcity.net)
* Well, this does not too much.. it will determine the
* origin (remote IP address) from which a shell is launched (user
* id/remote host), and write a syslog entry, everytime a login shell
* is invoked. This can help against login trojans, or just for providing
* better audit trails.
* Put a call to shlog into /etc/profile and/or /etc/bashrc
*/
#include <syslog.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define IO_STDIN 0
int
main (int argc, char **argv)
{
struct sockaddr_in sin;
unsigned int nl = sizeof (struct sockaddr_in);
int test = getpeername (IO_STDIN, (struct sockaddr *) &sin, &nl);
(void) openlog (argv[0], LOG_PID, LOG_AUTHPRIV);
if (test == 0)
syslog (LOG_NOTICE | LOG_AUTHPRIV,
"shell '%s' (uid: %d euid: %d gid: %d) invoked by remote connection from host %s",
getenv ("SHELL"),
getuid (), geteuid (), getgid (),
inet_ntoa (sin.sin_addr));
else
syslog (LOG_NOTICE | LOG_AUTHPRIV,
"shell '%s' (uid: %d euid: %d gid: %d) invoked from local host or program",
getenv ("SHELL"),
getuid (), geteuid (), getgid ());
(void) closelog ();
return 0;
}
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!