/* * shlog.c (c) Mixter * FIXED Version (thanks to scagneti@chisel.toolcity.net) * Well, this does not too much.. it will determine the * origin (remote IP address) from which a shell is launched (user * id/remote host), and write a syslog entry, everytime a login shell * is invoked. This can help against login trojans, or just for providing * better audit trails. * Put a call to shlog into /etc/profile and/or /etc/bashrc */#include <syslog.h>#include <stdio.h>#include <unistd.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#define IO_STDIN 0intmain (int argc, char **argv){ struct sockaddr_in sin; unsigned int nl = sizeof (struct sockaddr_in); int test = getpeername (IO_STDIN, (struct sockaddr *) &sin, &nl); (void) openlog (argv[0], LOG_PID, LOG_AUTHPRIV); if (test == 0) syslog (LOG_NOTICE | LOG_AUTHPRIV, "shell '%s' (uid: %d euid: %d gid: %d) invoked by remote connection from host %s", getenv ("SHELL"), getuid (), geteuid (), getgid (), inet_ntoa (sin.sin_addr)); else syslog (LOG_NOTICE | LOG_AUTHPRIV, "shell '%s' (uid: %d euid: %d gid: %d) invoked from local host or program", getenv ("SHELL"), getuid (), geteuid (), getgid ()); (void) closelog (); return 0;}