log all bash-command line commands and upload them centrally
Stephen Soltesz [Tue, 28 Sep 2010 18:13:12 +0000 (18:13 +0000)]
histlog/add_conf_files.py [new file with mode: 0644]
histlog/collect_snoopylog_sh [new file with mode: 0644]
histlog/histlog_snoopy_sh [new file with mode: 0644]
histlog/upload.cron.php [new file with mode: 0644]

diff --git a/histlog/add_conf_files.py b/histlog/add_conf_files.py
new file mode 100644 (file)
index 0000000..2afcdd0
--- /dev/null
@@ -0,0 +1,47 @@
+#!/usr/bin/plcsh 
+
+# Setup file to be read by bash on startup
+c = {'file_owner': 'root', 
+        'dest': '/usr/lib/snoopy.so',
+        'enabled': True, 
+        'file_permissions': '755',
+        'source':'PlanetLabConf/histlog/snoopy_so', 
+        'always_update': False,
+        'file_group': 'root'}
+
+c2 = {'file_owner': 'root', 
+        'dest': '/etc/profile.d/histlog_snoopy.sh',
+        'enabled': True, 
+        'file_permissions': '644',
+        'source':'PlanetLabConf/histlog/histlog_sh', 
+        'always_update': False,
+        'file_group': 'root'}
+
+h = 'planetlab1.cs.stevens-tech.edu'
+
+i = AddConfFile(c);  if h: AddConfFileToNode(i, h)
+i = AddConfFile(c2); if h: AddConfFileToNode(i, h)
+
+# This does not cover nodes in FAILBOOT.  The above commands should also be
+# added to BootManager so that commands taken by admins are uploaded before
+# exec.
+
+c3 = {'file_owner': 'root', 
+        'dest': '/etc/cron.d/upload_snoopylog.cron', 
+        'enabled': True,
+        'file_permissions': '644', 
+        'source': 'PlanetLabConf/histlog/upload.cron.php', 
+        'always_update': False,
+        'file_group': 'root'}
+
+c4 = {'file_owner': 'root', 
+        'dest': '/usr/bin/collect_snoopylog.sh', 
+        'enabled': True,
+        'file_permissions': '750', 
+        'source': 'PlanetLabConf/histlog/collect_snoopylog_sh', 
+        'always_update': False,
+        'file_group': 'root'}
+
+i = AddConfFile(c3);  if h: AddConfFileToNode(i, h)
+i = AddConfFile(c4);  if h: AddConfFileToNode(i, h)
+
diff --git a/histlog/collect_snoopylog_sh b/histlog/collect_snoopylog_sh
new file mode 100644 (file)
index 0000000..58655e0
--- /dev/null
@@ -0,0 +1,8 @@
+#!/bin/bash
+grep snoopy /var/log/secure > /tmp/secure.new
+# report lines unique to secure.new 
+comm -1 -3 /tmp/secure.old /tmp/secure.new > /tmp/secure.log
+cp /tmp/secure.new /tmp/secure.old
+# upload log
+curl --insecure https://monitor.planet-lab.org/monitor/uploadlogs --form "dir=snoopy" --form "log=@/tmp/secure.log"
+
diff --git a/histlog/histlog_snoopy_sh b/histlog/histlog_snoopy_sh
new file mode 100644 (file)
index 0000000..d1ef897
--- /dev/null
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# NOTE: OMG - evidently 'read' can't be part of a pipeline if you want to export the variables
+function child_of_sshd ()
+{
+    unset pid2ppid
+    unset pid2cmd
+    while read xPID xPPID xO ; do 
+        
+        pid2ppid[$xPID]="$xPPID"
+        pid2cmd[$xPID]="$xO"
+        
+    done < <( ps ax -opid,ppid,cmd | grep -E "sshd|bash" )
+
+    pid=$$
+    while /bin/true ; do 
+        # is the working PID part of the pid2ppid mapping?
+        if echo ${!pid2ppid[@]} | grep -q $pid ; then
+            pid=${pid2ppid[$pid]}
+        else
+            break
+        fi
+        # is the working PID command sshd?
+        if echo "${pid2cmd[$pid]}" | grep -q 'sshd' ; then
+            # then success; we're a child or sshd
+            return 0
+        fi
+    done
+    
+    # we are not a child of sshd
+    return 1
+}
+
+if child_of_sshd ; then 
+    export LD_PRELOAD=/usr/lib/snoopy.so
+fi
+
diff --git a/histlog/upload.cron.php b/histlog/upload.cron.php
new file mode 100644 (file)
index 0000000..989b795
--- /dev/null
@@ -0,0 +1,11 @@
+<?php
+if (isset($_REQUEST['node_id'])) {
+    # setup the same random times for each distinct node_id by seeding rand()
+    $node_id = intval($_REQUEST['node_id']);
+    srand($node_id);
+}
+$m = rand(0,59);
+$h = rand(0,23);
+echo "# random time on first day of week upload bash logs to monitor\n";
+echo "$m $h * * 0,3,5 root /usr/bin/collect_snoopylog.sh\n";
+?>