[815] in linux-security and linux-alert archive
Re: [linux-security] suspicious users
daemon@ATHENA.MIT.EDU (Peter Orbaek)
Mon Jun 17 09:59:32 1996
Date: Thu, 13 Jun 96 17:15:12 EDT
From: Peter Orbaek <poe@theory.lcs.mit.edu>
To: linux-security@tarsier.cv.nrao.edu
Cc: delznic@axess.net
In-Reply-To: <199606131617.MAA10181@tarsier.cv.nrao.edu>
(owner-linux-security-digest@tarsier.cv.nrao.edu)
>I am becoming suspicious of some users on my system. I am wondering what is
>the best way to watch what they do or have done.
>What have you (the members of list) done to "babysit" these users.
Things I, and others, have been doing on Suns and other platforms:
- Hack their shell to log certain users' commands via syslog() or
to a special hidden file. It's actually quite useful to have
such shells installed all the time and be able to turn on
snooping for certain users in some config file.
- Use telnetsnoopd if they are coming in over telnet, this will allow
logging of their entire session. I've sometimes heard of problems
with telnetsnoopd: that it may sit around buring CPU time to no
good use, so be careful.
- Hacking telnet to log everything for specific users, this is useful
if you're not running telnetsnoopd and you're suspecting that a
user is hacking other systems.
- Periodic 'rsh ps' dumps of the user's processes.
- Periodic remote screendumps using the sunos screendump facility.
- Use tcpdump or snoop (Solaris) to dump eg. all telnet packets
going from/to a certain host. This can generate a LOT of data.
With linux you could also hack the kernel to log output to certain
tty's somewhere, maybe this is already possible? Add a couple
of ioctl calls to the tty driver to set dumping conditions and
where to dump the stuff.
Does Linux support process logging these days?
Of course, all of this should be done only be people wearing white
hats! Your users will hate you if you do this without proper
cause.
If you're a commercial access provider, it would be advisable to tell your
users up front that you can and will eavesdrop on them if you suspect
foul play.
- Peter.