[799] in linux-security and linux-alert archive
RE: [linux-security] suspicious users
daemon@ATHENA.MIT.EDU (Al Longyear)
Thu Jun 13 15:38:44 1996
From: Al Longyear <longyear@sii.com>
To: "Douglas F. Elznic" <delznic@axess.net>,
linux-security <linux-security@tarsier.cv.nrao.edu>
Date: Thu, 13 Jun 96 11:30:00 PDT
You can use the ttysnoop code to look at their output and watch the
keystrokes. Use either the ttysnoop or the corresponding telnet version.
Both programs are on sunsite.
You need to know which tty line they are using and when they are
connected.
However, if your system is properly secured then there is little that
they can do to mess it up. If they do, then you have problems with your
system and not really the user. You would need to re-examine the
permissions and the protections and the passwords which you use. It is
your responsibility to ensure the security of the system.
If you truly don't trust the users and have some basis for this distrust
then you have two real options:
1. Get rid of the users. Ask them to go someplace else. That's the
easiest part.
or,
2. If you can't do that, then you just need to live with the situation.
(The reason for this is usually that you are providing computing services
for your company.) Try to convince the users that it is in their best
interest to simply do their job and not attempt to mess things up.
Believe me, I know, sometimes it is hard to do. (Having 'firing'
authority for security breakins helps a lot when you attempt to convince
the users!!)
However, above all, run the cops and tripwire code on your system. It
will tell you if they have messed with anything important. Both of these
are in the UNIX security archive ftp sites (not sunsite, nor tsx-11, but
the 'real' ones. :) )
p.s.: suspicion != proof
----------
From: Douglas F. Elznic[SMTP:delznic@axess.net]
Sent: Saturday, June 08, 1996 1:21 PM
To: linux-security
Subject: [linux-security] suspicious users
I am becoming suspicious of some users on my system. I am wondering what
is
the best way to watch what they do or have done.
What have you (the members of list) done to "babysit" these users.