This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex-
Leader Leader
Leader
‎2022-12-06 04:56 AM

Clishtory

The following script can be run on a Gaia system to provide a log of all Clish entries from all users.

You can also use the script repository in Smart Console.

Observations:

  • The Clish history file is written upon logout of the session, so if a command crashes the system it could not be logged, nor does it log commands being entered by an active user
  • There's no timestamps that I know of for individual commands
  • The script will cycle through UID and collect the Clish history from each one. Some Check Point services have UID above 102 but don't use clish, so they will still appear in the report
  • I'm including the base64 below to use in your favourite launcher
  • Only tried on R81.10

 

 

 

 

#!/bin/bash

echo "Clish history for $(hostname)"
printf "\n"

readarray -t user_index < <(cat /etc/passwd | awk -F: '{user_id=$3+0; if(user_id==0 || user_id > 102) {print $1}}' | grep -v root)
declare -p user_index >/dev/null

for i in ${user_index[@]}
do
if test -f /home/$i/.clish_history; then
echo "User $i, last modified on $(ls -l /home/$i/.clish_history | awk '{print $6, $7}')"
cat /home/$i/.clish_history
else
echo "No clish entries for user $i"
fi
printf "\n"
done

 

 

 

 

Base64

 

 

 

IyEvYmluL2Jhc2gKCmVjaG8gIkNsaXNoIGhpc3RvcnkgZm9yICQoaG9zdG5hbWUpIgpwcmludGYgIlxuIgoKcmVhZGFycmF5IC10IHVzZXJfaW5kZXggPCA8KGNhdCAvZXRjL3Bhc3N3ZCB8IGF3ayAtRjogJ3t1c2VyX2lkPSQzKzA7IGlmKHVzZXJfaWQ9PTAgfHwgdXNlcl9pZCA+IDEwMikge3ByaW50ICQxfX0nIHwgZ3JlcCAtdiByb290KQpkZWNsYXJlIC1wIHVzZXJfaW5kZXggJj4vZGV2L251bGwKCmZvciBpIGluICR7dXNlcl9pbmRleFtAXX0KZG8KaWYgdGVzdCAtZiAvaG9tZS8kaS8uY2xpc2hfaGlzdG9yeTsgdGhlbgplY2hvICJVc2VyICRpLCBsYXN0IG1vZGlmaWVkIG9uICQobHMgLWwgL2hvbWUvJGkvLmNsaXNoX2hpc3RvcnkgfCBhd2sgJ3twcmludCAkNiwgJDd9JykiCmNhdCAvaG9tZS8kaS8uY2xpc2hfaGlzdG9yeQplbHNlCmVjaG8gIk5vIGNsaXNoIGVudHJpZXMgZm9yIHVzZXIgJGkiCmZpCnByaW50ZiAiXG4iCmRvbmUK

 

 

 

 

The output will be something like this.

 

 

 

Clish history for <hostname>

User admin, last modified on Dec 6
installer check-for-updates
lock database override
installer check-for-updates
show installer status
exit

No clish entries for user postfix

User <user removed>, last modified on Dec 6
show dns
expert
show asset networ
show asset network
exit

User <user removed>, last modified on Dec 6
show config-lock
show ntp servers
exit

No clish entries for user cp_postgres

No clish entries for user cp_extensions

No clish entries for user cpep_user

 

 

 

 

Smart Console

clish.png

2 Replies
PhoneBoy
Admin
Admin
‎2022-12-06 07:39 AM

Huh, I didn’t even realize we tracked clish history.
If you’re looking at auditing what users do, using the AAA functionality might be better as the commands issued are sent by syslog. 

0 Kudos
Alex-
Leader Leader
Leader
‎2022-12-07 03:43 AM
In response to PhoneBoy

I believe that one of the strengths of Gaia/Titan is that everything is logged or can be set to do so.

AAA is indeed much better overall for this sort of things, this is just a simple tool for implementations that don't run it and would be interested in CLI user logs in one go.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events