[Bug 491430] Review Request: sslogger - A keystroke logging utility for privileged user escalation

[bugzilla at redhat.com]

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=491430


Gratien D'haese <gratien.dhaese at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
               Flag|                            |needinfo?




--- Comment #20 from Gratien D'haese <gratien.dhaese at gmail.com>  2009-05-27 04:17:39 EDT ---
* fully agree with the comments in #17 - thanks for the in-depth analysis
Mamoru
  ==> the legal issue must be fixed

* man page sslogger contains an error:
FILES
       /etc/sloger.conf   << /etc/sslogger.conf
              Configuration file

* Concerning "replay" - I agree it would be better to rename it to e.g.
slreplay
$ replay /var/log/sl/2009/05/sl-fed-gdha-root-2009.05.27-09:24:31.log
Sending output to: /dev/pts/4
/var/log/sl/2009/05/sl-fed-gdha-root-2009.05.27-09:24:31.log: Permission denied
End replay
==> replay can only be used by people part of group sloggers. Why can a plain
user not replay his own logs?
==> replay man page missing 
==> some useful functions are still missing in replay such as find. I would
rather see "/" as find symbol, rather then "f" (try to follow vi syntax)

* It is rather confusing to see sometimes slogger and then sslogger and then sl
e.g. in config.h:  #define SLOGGER sslogger

* The "-h" option is not respected:
$ sl -h
[sudo] password for gdha: 
$ sslogger -h
Sloggerd started, file is
/var/log/sl/2009/05/sl-fed-gdha-gdha-2009.05.27-10:04:37.log

Reason for invoking thus interactive shell for gdha:

* Found lots of spelling errors in source files and in the man page

* why not combining the -u option in sslogger itself? Why using sl for that
purpose?

* The sl.log file contains not enough information where the log file itself is
stored:
# cat /var/log/sl/sl.log
2009-05-27 09:24:39 sslogger[30880]; user:gdha; as:root;
invoked_shell:"/bin/bash"; logfile:sl-fed-gdha-root-2009.05.27-09:24:31.log;
reason:test sslogger

Actual location is:
/var/log/sl/2009/05/sl-fed-gdha-root-2009.05.27-09:24:31.log
To use replay (or cat) it would be better to log the full path of the log file.

* why do I read in the log file Sloggerd started - it should read sslogger
started
# ps ax|grep ssl
31720 pts/2    S+     0:00 sslogger
31721 pts/2    S+     0:00 sslogger

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.