Sunlight is an internal security tool aimed at providing transparency around what users are doing on a sensitive server. It tracks:
- Who is logging into a Unix system, with optional email notification
- What commands they perform (stored in a separate history file per session), with optional email notification upon logout
Optionally informing the user that they are being monitored via a login message. It is not bulletproof, as a knowledgable unix hacker could circumvent it, but it does provide more information on what is going on.
Sunlight is the best disinfectant
- Clone this repo. For extra security, put it in a location that is writeable only by root. Recommended:
- Add an entry to the master
/etc/profileto source the login watcher file:
. $install_dir/sunlight.bashNote: This is the preferred method, because it will track all logins. If you do not have root access and or wish to only track specific users, then you can place the line above into
- Configure your installation by copying
sunlight.confand making the appropriate changes
- Watch/fork this repo on github. :) More usage will encourage me to build more features.
Note: Only the bash shell is currently supported. Check
/etc/passwd to make sure that all users that are able to login have their shell set to
- bash (if you want support other shells, please fork this repo and create sunlight.$yourshell)
- Custom logging/notification methods, copy the history file somewhere else, inject into a message queue, etc.
- Support for other shells
- Automate the install/configuration
- Create yum/apt-get packages
- Do not rely on this as your only security measure. It is just a tool that provides more information. It can be circumvented in ways that I would rather not list here, and should not be compltely relied upon.
- If the user does not properly exit the shell (ie, network interruption that kills the ssh session),
~/.bash_logoutwill not be executed and the logout notifier will not work. If this bothers you, setting up auditd and a daemon that regularly calls
lastcommmight do the trick