Vim
ShellScript
Bash
Linux
セキュリティ

When I do bad things, I tried to construct an unfriendly world (Linux) to be reported immediately <Prequel>

This article is an automatic translation of the article[71ca7ee8adefbc1e3c29] below.
https://qiita.com/speaktech/items/71ca7ee8adefbc1e3c29

In the first part, when you do"bad things I think"with the vim editor, I will show you how to create an inexhaustible world to be reported.
(In this case, reporting = log output, but actions can be changed as appropriate.)

** 2018/09/29 Update:
In order to record logs only when editing is added, we made the following corrections.
· Save file hash value to environment variable when opening file with vim
· Report only when the hash value at file open is different from the hashed value after editing **

Material

  • vim Editor configuration file (/etc/vimrc)
  • Shell script

The bad things I think

  • Edit history file     - Edit the command history is"bury the mistake in the dark"bad thing
  • Edit the log file     - Editing the log file is"to falsify the facts"Bad

How to create a world that is not easy

1. Put a trap in the vim editor

Add the setting below to the end of the vim editor's configuration file (/etc/vimrc).
The shell script (watchvim.sh) will now be executed ** when editing the file **.
Pass the file name (<afile>) you are editing, the hash value of the file (\$PREHASH), and the user name (\$USER) as arguments.

/etc/vimrc
augroup watchvim
autocmd!
autocmd BufRead * silent :let $PREHASH = system('md5sum ' . expand('%:p') . ' | awk "{print \$1}"')
autocmd BufWritePost * silent !/etc/vimrc.d/watchvim.sh <afile> $PREHASH $USER
augroup END

Also, in preparation for users using the vi editor, register vim with syntax highlight turned off as vi's alias.
(** It is not only to notice that you are using the vim editor, but also to give consideration to users who do not want to use syntax highlighting **)

/etc/profile.d/force_vim.sh
# Force users to use vim instead of vi

alias vi="vim -c ':syntax off'"

2. Put a shell script to log output when a specific file is edited

First of all, I will create a placement place

mkdir /etc/vimrc.d 

Place the following shell script (watchvim.sh) and configuration file (watchvim.conf) in/etc/vimrc.d/.

/etc/vimrc.d/watchvim.sh
#!/bin/bash

PROGNAME=$(basename $0)
PROGDIR=$(dirname $0)
CONFPATH="$PROGDIR/${PROGNAME%.*}.conf"
VERSION="1.1"

usage() {
    echo "
Usage:
    $PROGNAME [FILE] [FILEHASH] [USER]

Description:
    $PROGNAMEは、vimで編集されたファイルの名前をログ出力するためのシェルスクリプトです。
    /etc/vimrcから呼び出されることを想定しています。
    同一ディレクトリに配置される${PROGNAME%.*}.confに記載されたファイル一覧を監視対象とします。

    /etc/vimrcにおける使用例: 
    autocmd BufRead * silent :let $PREHASH = system('md5sum ' . expand('%:p') . ' | awk \"{print \$1}\"')
    autocmd BufWritePost,FileWritePost * silent !/etc/vimrc.d/$PROGNAME <afile> \$PREHASH \$USER

Options:
    --help, -h      ヘルプを表示
    --version, -v   バージョン情報を表示"
    exit 1
}

for OPT in "$@"
do
    case "$OPT" in
        '-h'|'--help' )
            usage
            exit 1
            ;;
        '-v'|'--version' )
            echo $VERSION
            exit 1
            ;;
        -* )
            echo "$PROGNAME: illegal option -- '$(echo $1 | sed 's/^-*//')'" 1>&2
            exit 1
            ;;
        *)
            if [[ ! -z "$1" ]] && [[ ! "$1" =~ ^-+ ]]; then
                param+=( "$1" )
                shift 1
            fi
        ;;
    esac
done

if [ ${#param[@]} -ne 3 ]; then
    echo "$PROGNAME: 3 arguments is required." 1>&2
    echo "Try '$PROGNAME --help' for more information." 1>&2
    exit 1
fi

if [ ! -e $CONFPATH ]; then
    echo -e "# Created by $PROGNAME
# This is the $PROGNAME configuration file.
# $PROGNAME watches only the files you specify below and logger who edits them
# when they are edited with Vim." > $CONFPATH 2>&1
fi

set -f
for FILEPATH in `grep -v "^#" $CONFPATH`;
do
    EDITFILE=`readlink -f ${param[0]}`
    if [[ $EDITFILE == $FILEPATH ]]; then
        EXHASH=`md5sum $EDITFILE | awk '{ print $1 }'`
        if [ ${param[1]} != $EXHASH ]; then
            logger -p local0.warning -t "$PROGNAME" "$EDITFILE has been edited by ${param[2]}."
        fi
        break
    fi
done
set +f
/etc/vimrc.d/watchvim.conf
# Created by watchvim.sh
# This is the watchvim.sh configuration file.
# watchvim.sh watches only the files you specify with absolute path below and logger who edits them.
# when they are edited with Vim.
/var/log/*
*bash_history

Change the permission so that it can be run from any user.

chmod 755 /etc/vimrc.d/watchvim.sh

chmod 644 /etc/vimrc.d/watchvim.conf

This completes the preparation.

I tried a bad thing

  • I tried to edit the history file
[badman@notkind ~]$ vim /home/badman/.bash_history

(It erased the file accidentally, so delete the history of rm command ...)

/var/log/messages
Sep 25 14:51:45 notkind watchvim.sh: /home/badman/.bash_history has been edited by badman.

It will remain in the log perfectly.

  • I tried editing the log file
[badman@notkind ~]$ sudo vim /var/log/yum.log

(Since I added the package without permission with yum, I will tamper with the log ...)

/var/log/messages
Sep 25 14:54:33 notkind watchvim.sh: /var/log/yum.log has been edited by badman.

This will also remain in the log as perfectly.
The realization of the unfriendly world has come closer and closer.

A postcard

By writing the file name to the setting file (watchvim.conf), you can set the monitoring target freely. Wild cards can also be used.
If you are interested, please try using it.

~~ ※ Please note that when you execute": w"with the vim editor, it will judge that it was edited even if not editing anything in the specification · · ·. ~~
** * Fixed to be notified only when edit is added in 2018/09/29 update **

In the second part, we introduce the mechanism of change detection using shell script.
I think that polishing will take place in a world that is not easy because it is a mechanism that detects whether it is a vim editor or a sed command anyway after editing.

** Thank you very much for your continued reading until the end.
We are looking for ways to create a gentle world, so if you have recommendations on how to make it, please let me know! **