Homework: How can I log processes for auditing using the bash shell?

Question

I am very new to linux and am sorry for the newbie questions. I had a homework extra credit question that I was trying to do but failed to get it.

Q. Write a security shell script that logs the following information for every process: User ID, time started, time ended (0 if process is still running), whether the process has tried to access a secure file (stored as either yes or no) The log created is called process_security_log where each of the above pieces of information is stored on a separate line and each entry follows immediately (that is, there are no blank lines). Write a shell script that will examine this log and output the User ID of any process that is still running that has tried to access a secure file.

I started by trying to just capturing the User and echo it but failed.

output=`ps -ef | grep [*]`
set -- $output
User=$1
echo $User

Answer 1

The output of ps is both insufficient and incapable of producing data required by this question.

You need something like auditd, SELinux, or straight up kernel hacks (ie. fork.c) to do anything remotely in the realm of security logging.

Update

Others have made suggestions to use shell command logging, ps and friends (proc or sysfs). They can be useful, and do have their place (obviously). I would argue that they shouldn't be relied on for this purpose, especially in an educational context.

... whether the process has tried to access a secure file (stored as either yes or no)

Seems to be the one that the other answers are ignoring. I stand by my original answer, but as Daniel points out there are other interesting ways to garnish this data.

• systemtap
• pref
• LTTng

For an educational exercise these tools will help provide a more complete answer.

Answer 2

Take a look at the /proc pseudo-filesystem.

Inside of this, there is a subdirectory for every process that is currently running - process [pid] has its information available in /proc/[pid]/. Inside of that directory, you might make use of /prod/[pid]/stat/ or /proc/[pid]/status to get information about which user started the process and when.

I'm not sure what the assignment means by a "secure file," but if you have some way of determining which files are secure, you get get information about open files (including their names) through /prod/[pid]/fd/ and /prod/[pid]/fdinfo.

Is /proc enough for true security logging? No, but /proc is enough to get information about which processes are currently running on the system, which is probably what you need for a homework assignment about shell scripting. Also, outside of this class you'll probably find /proc useful later for other purposes, such as seeing the mapped pages for a process. This can come in handy if you're writing a stack trace utility or want to know how they work, or if you're debugging code that uses memory-mapped files.

Answer 3

Since this is homework, I'm assuming that the scenario isn't a real-world scenario, and is merely a learning exercise. The shell is not really the right place to do security auditing or process accounting. However, here are some pointers that may help you discover what you can do at the shell prompt.

1. You might set the bash PROMPT_COMMAND to do your process logging.
2. You can tail or grep your command history for use in logging.
3. You can use /usr/bin/script (usually found in the bsdutils package) to create a typescript of your session.
4. You can run ps in a loop, using subshells or the watch utility, to see what processes are currently running.
5. You can use pidof or pgrep to find processes more easily.
6. You can modify your .bashrc or other shell startup file to set up your environment or start your logging tools.

As a starting point, you might begin with something trivial like this:

$ export PROMPT_COMMAND='history | tail -n1'
 56 export PROMPT_COMMAND='history | tail -n1'
$ ls /etc/passwd
/etc/passwd
 57 ls /etc/passwd

and build in any additional logging data or process information that you think necessary. Hope that gets you pointed in the right direction!