1sslogger(8) User Manuals sslogger(8)
2
3
4
6 sslogger - execute a command or interactive shell, and record the out‐
7 put
8
10 sslogger
11 sslogger [-h] [-c command]
12
14 sslogger is session keystroke logging utility and allows permitted
15 users to execute commands, or open interactive shells. When used in
16 interactive session mode, sslogger records keystrokes in a special
17 file. A tty is required for interactive sessions.
18
19 Two modes of logging are available, local logging and remote logging.
20 Remote logging is performed through a secure TLS session. See the
21 sslogger.conf manpage for details. A remote slogd server must config‐
22 ured for remote logging.
23
24 The local default keystroke log files are written to
25 /var/log/slog/<hostname>-<user1>-<user2>.<date>.log. The sreplay com‐
26 mand is included to review session log files created via sslogger, cre‐
27 ating an audit trail of all actions performed by users. The
28 keep_local_logs config setting can be set to remove the local log after
29 successful transfer to the remote slogd server.
30
31 sslogger also provides the ability to run in command mode in which a
32 command can be executed. This allows sslogger to be used within a
33 script in non-interactive script. When running this mode, stdin is
34 closed.
35
36 When used in combination with slog and sudo, privileged user escalation
37 can be controlled and audited by creating standard sudo rules.
38
39 By default, sslogger will change to the users home directory before
40 executing a shell or command. Use the -h flag to remain in the current
41 working directory.
42
43 All commands and interactive sessions write an entry to the local sys‐
44 log.
45
46
48 sslogger accepts the following command line options:
49
50 -c command and args
51 Execute "command and args" instead if interactive shell. Pro‐
52 vides ability run sslogger within a script. non-interactive mode
53
54 -h Stay in current working directory, do not cd to USER home dir
55
56 -f Flush buffer on every newline
57
58 -q Suppress printing of SS logger start/finish information
59
60 -l Log output of all commands
61
62 -d Debug
63
64 The sreplay command can be used to sreplay recorded sessions
65
66 sreplay <filename>
67 Replays interactive session identified by filename
68
69
71 In interactive mode, always exits 0.
72
73 When run in a non-interactive mode, slog returns the value of the com‐
74 mand being run.
75
76
78 /etc/sslogger.d/sslogger.conf
79 Configuration file see man ssloggers.conf(5)
80 /etc/sudoers
81 Sudo Configuration file - see man sudoers(5) for details
82 /var/log/slog
83 Default directory in which sessions are logged
84
86 Sample sudoers entry to allow user user1 to run any command, or inter‐
87 active shell as users: root,user2
88 user1 ALL=(root,user2) NOPASSWD:/usr/bin/sslogger
89
90 /etc/sudoers entry to allow user1 to only run "ls" as user2
91 user1 ALL=(testy2) NOPASSWD:/usr/bin/sslogger -c ls,
92 /usr/bin/sslogger -c ls *
93
94 Sample sudoers entry to allow users in unix group wheel to run any
95 sslogger command as root
96 %wheel ALL=(root) NOPASSWD:/usr/bin/sslogger
97
98 Sample sudoers entry using sudoers groups for user1 and user2
99 #Group Privileged access
100 User_Alias SSERS = user1,user2
101 Cmnd_Alias SL = /usr/bin/sslogger
102 SSERS ALL = (root,user3) NOPASSWD: SL
103 # user1 and user2 can now get an interactive root shell for root
104 and user3
105 # while logging all keystrokes
106
107 Configuration file /etc/sslogger.conf:
108 see man ssloggers.conf(5) for details
109
110
111 # Log output of all commands, even non interactive (1 is true).
112 Default 0
113 log_all_cmds=0
114
115
116 # Minimum Comment length in chars
117 #an entry of 0 will skip reason for asking for a shell
118 min_comment=10
119
120
121 # Maximum Comment Length in chars written to syslog
122 #Comment Length in the session log file is currently unlimited
123 max_comment=60
124
125
126 # To allow normal users replay access to log files they create,
127 Set below to 1
128 allow_user_replay=1
129
130
131 # slogd server name or ip.
132 # If commented out or empty remote log collection is disabled
133 slogd_server=
134
135
136 #slogd service port
137 slogd_server_port=5556
138
139
140 #slogd auth type. Must match slogd server tls_authtype
141 # Current options are "x509" or "anon".
142 # Setting to x509 requires x509 tls certs
143 # to be generated and pushed to all clients. See the mkSlogCerts
144 command
145 slogd_authtype=anon
146
147
148 # When using a slogd server, and a sslogger session is over, and
149 logs are
150 # properly transferred to slogd server, delete the local log
151 file.
152 # Setting to 1 will enable keeping of all local log file.
153 keep_local_logs=0
154
155
156 # Policy for when a connection to a slogd server is unavailable
157 or unexpectedly terminated
158 # If set to 1, ssloger will terminate if connection is broken to
159 slogd server
160 # and will die if it cannot connect to the remote slogd
161 server at startup
162 # If set to 0, local logging will be used when we can not con‐
163 tact remote server
164 # or when a network connection to the slogd server is bro‐
165 ken
166 require_remote_slogd=0
167
168
169
170 /etc/group:
171 #To allow user2 to replay all session files, add user2 to the
172 sslogger group
173 sloggers:x:480:user2
174
176 Note: the following examples assume suitable sudoers(5) entries.
177
178 $ sslogger
179 - Obtains an interactive shell, and log all keystrokes
180
181 $ sslogger -c ls -l /root
182 - Runs command, logs output if log_all_cmds=1 in sslogger.conf
183
184 $ slog -u user2
185 - Obtains an interactive shell as another user.
186
187 $ slog -u user2 -h
188 - Obtains an interactive shell as user2 whilst remaining in the
189 current working directory.
190
191 $ sreplay <filename>
192 - Replays an interactive session log (may require user to be
193 added to sloggers group, see (CONFIGURATION FILES)
194
196 If you feel you have found a bug in sslogger, please submit a bug
197 report at http://sslogger.sourceforge.net
198
200 Limited free support is available via the sslogger-users mailing list,
201 see http://sslogger.sourceforge.net to subscribe or search the ar‐
202 chives.
203
205 Edward Brand <edbrand@brandint.com>
206
208 sslogger.conf(5) slog(8) sreplay(8) slogd(8) sudo(8), suders(8), su(2)
209
210
211
212Linux February 2009 sslogger(8)