Skip to content

eMpTyll/Linux-Command-Log-Collector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
filebeat
filebeat
 
 
logstash/pipeline
logstash/pipeline
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
exec_logger.c
exec_logger.c
 
 
test.txt
test.txt
 
 

Repository files navigation

Linux-Command-Log-Collector

Overview

This project helps in collecting logs of executed commands on a Linux system. The solution uses LD_PRELOAD to intercept command execution and auditd to track command execution events.

Prerequisites

Before you start, ensure you have the following tools installed on your system:

  • GCC Compiler
  • Audit Daemon (auditd)

Step-by-Step Setup

1. Compile the Logger

First, compile the shared library exec_logger.so from the source file exec_logger.c. This library will be used to intercept command executions.

gcc -shared -fPIC -o exec_logger.so exec_logger.c -ldl

2. Set Up LD_PRELOAD

Set up LD_PRELOAD to use the compiled library. This will ensure that the logger library is loaded before other libraries, allowing it to intercept command executions.

export LD_PRELOAD=/path/to/exec_logger.so

To make this change permanent, add it to your system profile:

echo 'export LD_PRELOAD=/path/to/exec_logger.so' | sudo tee -a /etc/profile

3. Install auditd and audispd-plugins

Update your package list and install auditd and its plugins:

sudo apt-get update
sudo apt-get install auditd audispd-plugins

4. Configure auditd Rules

To monitor command executions, you need to add audit rules. Open the audit rules file and add the following lines:

sudo nano /etc/audit/rules.d/audit.rules

Add these rules to the file:

-w /usr/bin/sudo -p x -k command_executions
-w /bin/ -p x -k command_executions
-w /usr/bin/ -p x -k command_executions
-w /usr/sbin/ -p x -k command_executions

These rules will track execution events for common command binaries and sudo.

5. Restart auditd

Finally, restart the auditd service to apply the new rules:

sudo service auditd restart

Verification

After completing the setup, you can test it by executing some commands and checking the logs:

# Execute some commands
ls
pwd

# Check the logs
sudo ausearch -sc execve

You should see entries related to the executed commands in the audit logs.

Troubleshooting

  • If you encounter issues with LD_PRELOAD, ensure the path to exec_logger.so is correct and that the file has the appropriate permissions.

  • Verify that auditd is running and that the audit rules are correctly applied by checking the status and rules with the following commands:

    sudo service auditd status
sudo auditctl -l

Feel free to open an issue or submit a pull request if you encounter any problems or have suggestions for improvements.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages