[844] in linux-security and linux-alert archive
Re: [linux-security] suspicious users
daemon@ATHENA.MIT.EDU (/* (c) 1996 dMv */)
Tue Jun 25 10:08:34 1996
Date: Sat, 22 Jun 1996 01:10:18 -0400 (EDT)
From: "/* (c) 1996 dMv */" <dmv@cybercom.net>
To: Suicide Object <wvdputte@reptile.rug.ac.be>
cc: Peter Orbaek <poe@theory.lcs.mit.edu>, linux-security@tarsier.cv.nrao.edu,
delznic@axess.net
In-Reply-To: <Pine.LNX.3.91.960617225459.16882B-100000@reptile.rug.ac.be>
On Mon, 17 Jun 1996, Suicide Object wrote:
> On Thu, 13 Jun 1996, Peter Orbaek wrote:
>
> > - Hack their shell to log certain users' commands via syslog() or
> > to a special hidden file. It's actually quite useful to have
> > such shells installed all the time and be able to turn on
> > snooping for certain users in some config file.
>
> good idea. But what if he exec new_shell_safe 's ???
Point. On both fronts: it is good to have one (or a few) around, but it
is avoidable (andd very possibly avoided if infact the user is doing
things unauthorized)
> > - Use telnetsnoopd if they are coming in over telnet, this will allow
> > logging of their entire session. I've sometimes heard of problems
> > with telnetsnoopd: that it may sit around buring CPU time to no
> > good use, so be careful.
>
> well, telnet snooping is nice for irc sessions, but who has the time to
> sit around and look what he is doing?
>
> better use a packet sniffer and log...
> some packetsniffers even allow you to get a realtime viewing of his screen
> major advantage of packetsniffing is that you can do it
> 1. centralised (one host for an entire segment)
> 2. unnoticed. no way a user can notice it (or know he *isn't*)
>
> disadvantages: only logs the medium you have access over (so no console
> logins, ppp connections if on another host)
> Secure shell is also a nice game-braker :-) (well, that's why *I* use it)
There are those disadvantages.
But the same thing stands for telnetsnoop. If used unwisely, it can be
unuseful, and generate a lot of data. However, if you log the data to a
file, and have it search for certain things, based on what you want to
know. It has the advantage that not everyone has their privacy needlessly
violated.
> > With linux you could also hack the kernel to log output to certain
> > tty's somewhere, maybe this is already possible? Add a couple
> > of ioctl calls to the tty driver to set dumping conditions and
> > where to dump the stuff.
> >
> > Does Linux support process logging these days?
Hmmm. That's assuming you know the tty of the user OR otherwise you have
to log all tty's (except ones you KNOW the user won't be using, like the
consoles)
> > Of course, all of this should be done only be people wearing white
> > hats! Your users will hate you if you do this without proper
> > cause.
Really think hard about this: what give's you the right to monitor the
user. If your answer is 'because I'm paid too' or 'because it is my
system', then feel free (post a warning like the one in the previous post
or something). But if the system is something general, like a ISP
machine, then you really must be justified in potentially tapping and
violating users' rights.
Basically, how would you feel in a similar situation, reversed?
dMv