Compile a Custom Bash to Audit Root Commands per User with ELK

1. Application Scenario

In small‑medium enterprises, different ops staff often log in as root without any account‑level audit, making it hard to trace problems.

2. Environment

Server: CentOS 6.5 with Development Tools, key‑based SSH, SELinux disabled. Clients: two machines with generated key pairs for login.

3. Build and Deploy

Download and compile Bash 4.1, modify source files to add syslog history.

Download Bash

wget http://ftp.gnu.org/gnu/bash/bash-4.1.tar.gz
 tar xvf bash-4.1.tar.gz
 cd bash-4.1

Patch config-top.c

#define SSH_SOURCE_BASHRC
#define SYSLOG_HISTORY

Patch bashhist.c

... (code omitted) ...

Add syslog function

void bash_syslog_history(const char *line) {
    char trunc[SYSLOG_MAXLEN];
    const char *p = getenv("NAME_OF_KEY");
    if (strlen(line) < SYSLOG_MAXLEN)
        syslog(SYSLOG_FACILITY|SYSLOG_LEVEL,
               "HISTORY: PID=%d PPID=%d SID=%d User=%s USER=%s CMD=%s",
               getpid(), getppid(), getsid(getpid()), current_user.user_name, p, line);
    else {
        strncpy(trunc, line, SYSLOG_MAXLEN);
        trunc[SYSLOG_MAXLEN-1] = ' ';
        syslog(SYSLOG_FACILITY|SYSLOG_LEVEL,
               "HISTORY (TRUNCATED): PID=%d PPID=%d SID=%d User=%s USER=%s CMD=%s",
               getpid(), getppid(), getsid(getpid()), current_user.user_name, p, trunc);
    }
}

Compile and install

./configure --prefix=/usr/local/bash_new
make && make install

Append the new Bash path to /etc/shells and change root’s login shell to the new binary.

echo "/usr/local/bash_new/bin/bash" >> /etc/shells
vim /etc/passwd   # set /usr/local/bash_new/bin/bash for root

4. SSH Client Key Generation

Generate RSA key pairs on each client, add a comment for identification, and copy the public key to the server’s authorized_keys.

ssh-keygen -t rsa -C "root@zhangsan"
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

5. Server Configuration

Create /var/log/keys, deploy a CheckUser.sh script that records each key’s fingerprint and sets NAME_OF_KEY environment variable for the Bash syslog function.

#!/bin/bash
pid=$PPID
while read line; do
    grep "$line" /var/log/keys >/dev/null || echo "$line" >> /var/log/keys
done < $HOME/.ssh/authorized_keys
# obtain each key's fingerprint
cat /var/log/keys | while read LINE; do
    NAME=$(echo $LINE | awk '{print $3}')
    echo $LINE >/tmp/keys.log.$pid
    KEY=$(ssh-keygen -l -f /tmp/keys.log.$pid | awk '{print $2}')
    grep "$KEY $NAME" /var/log/ssh_key_fing >/dev/null || echo "$KEY $NAME" >> /var/log/ssh_key_fing
done
# determine PPID for root or non‑root
if [ $UID == 0 ]; then
    ppid=$PPID
else
    ppid=$(ps -ef | grep $PPID | grep 'sshd:' | awk '{print $3}')
fi
# get RSA key fingerprint from /var/log/secure
RSA_KEY=$(egrep 'Found matching RSA key' /var/log/secure | egrep "$ppid" | awk '{print $NF}' | tail -1)
if [ -n "$RSA_KEY" ]; then
    NAME_OF_KEY=$(egrep "$RSA_KEY" /var/log/ssh_key_fing | awk '{print $NF}')
fi
readonly NAME_OF_KEY
export NAME_OF_KEY
rm -f /tmp/keys.log.$pid

Add to /etc/profile and /etc/bashrc to source the script and log each command with syslog.

echo "test -f /etc/CheckUser.sh && . /etc/CheckUser.sh" >> /etc/profile
# in /etc/bashrc
test -z "$BASH_EXECUTION_STRING" || { test -f /etc/CheckUser.sh && . /etc/CheckUser.sh; logger -t -bash -s "HISTORY $SSH_CLIENT USER=$NAME_OF_KEY CMD=$BASH_EXECUTION_STRING "; }

Enable debug logging in sshd_config and restart sshd.

sed -i 's/#LogLevel INFO/LogLevel DEBUG/g' /etc/ssh/sshd_config
service sshd restart

6. Verification

Log in from each client, perform actions, then check /var/log/messages. The logs show which user (identified by key comment) executed which command and when.

This method provides per‑user root command audit and can be combined with log forwarding for further analysis.