[799] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

RE: [linux-security] suspicious users

daemon@ATHENA.MIT.EDU (Al Longyear)
Thu Jun 13 15:38:44 1996

From: Al Longyear <longyear@sii.com>
To: "Douglas F. Elznic" <delznic@axess.net>,
        linux-security <linux-security@tarsier.cv.nrao.edu>
Date: Thu, 13 Jun 96 11:30:00 PDT


You can use the ttysnoop code to look at their output and watch the   
keystrokes. Use either the ttysnoop or the corresponding telnet version.   
Both programs are on sunsite.

You need to know which tty line they are using and when they are   
connected.

However, if your system is properly secured then there is little that   
they can do to mess it up. If they do, then you have problems with your   
system and not really the user. You would need to re-examine the   
permissions and the protections and the passwords which you use. It is   
your responsibility to ensure the security of the system.

If you truly don't trust the users and have some basis for this distrust   
then you have two real options:

1. Get rid of the users. Ask them to go someplace else. That's the   
easiest part.

or,

2. If you can't do that, then you just need to live with the situation.   
(The reason for this is usually that you are providing computing services   
for your company.) Try to convince the users that it is in their best   
interest to simply do their job and not attempt to mess things up.   
Believe me, I know, sometimes it is hard to do. (Having 'firing'   
authority for security breakins helps a lot when you attempt to convince   
the users!!)

However, above all, run the cops and tripwire code on your system. It   
will tell you if they have messed with anything important. Both of these   
are in the UNIX security archive ftp sites (not sunsite, nor tsx-11, but   
the 'real' ones. :) )

p.s.: suspicion != proof

 ----------
From:  Douglas F. Elznic[SMTP:delznic@axess.net]
Sent:  Saturday, June 08, 1996 1:21 PM
To:  linux-security
Subject:  [linux-security] suspicious users

I am becoming suspicious of some users on my system. I am wondering what   
is
the best way to watch what they do or have done.
What have you (the members of list) done to "babysit" these users.

home help back first fref pref prev next nref lref last post