From plug-bounces@lists.phillylinux.org Sat Sep 01 04:40:51 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 5426 invoked from network); 1 Sep 2007 04:40:51 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 04:40:51 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 5392 invoked by uid 107); 1 Sep 2007 04:40:43 -0000 Received: from an-out-0708.google.com (HELO an-out-0708.google.com) (209.85.132.241) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 00:40:43 -0400 Received: by an-out-0708.google.com with SMTP id c37so188618anc for ; Fri, 31 Aug 2007 21:40:40 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=oVUtHXsyxXvI4/+NdI+SlOsjyy+/CyPq5yYl24vr82NAViJaupe1eHJWdsyuLWpCE2+dtLzYNA4aqlktMfJru1gxQWjQv+Y3qu0NicvjJLY93ZEm6P/ymbaVg6Ya/YYChn06B12K3N47WW8d2M6ljjuzHcMCMN78XOXkQKjv2Ck= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=llrkpiXnPkG4QyEprWtexXDayM8QOqWELPU+Q51kNKnavJ2ZgEIkEVRK2VLMgDlhujV6OV4ACiOd/rw16NKKEqjTkjyTR19YhMWr8mMagG4Viy8idsUT4orjTv7BdEEmVizHlqb+h9LnJ2MwZLsLBk6bcAziy6y1PvftenRiXbs= Received: by 10.100.195.10 with SMTP id s10mr2291458anf.1188621640158; Fri, 31 Aug 2007 21:40:40 -0700 (PDT) Received: by 10.100.32.8 with HTTP; Fri, 31 Aug 2007 21:40:40 -0700 (PDT) Message-ID: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> Date: Sat, 1 Sep 2007 00:40:40 -0400 From: "Mag Gam" To: "Philadelphia Linux User's Group Discussion List" MIME-Version: 1.0 Subject: [PLUG] shell script help... X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============1700099642==" Mime-version: 1.0 Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org --===============1700099642== Content-Type: multipart/alternative; boundary="----=_Part_13465_14447030.1188621640094" ------=_Part_13465_14447030.1188621640094 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline I am in the process of writing a shell script to take history file (fc -l) and backup it up, while appending it. My strategy is, once the user exits out of his shell, i will dump the history into a file by using a trap() with EXIT. The file will be appended by the username... (ie, username.history.date My question is, if a user changes his shell from bash to ksh to tcsh, I am not able to get the output because I have my trap + exit to look at $SHELL. Is there any way to disable a user to log into a different shell? ------=_Part_13465_14447030.1188621640094 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline I am in the process of writing a shell script to take history file (fc -l) and backup it up, while appending it.

My strategy is, once the user exits out of his shell, i will dump the history into a file by using a trap() with EXIT. The file will be appended by the username... (ie, username.history.date

My question is, if a user changes his shell from bash to ksh to tcsh, I am not able to get the output because I have my trap + exit to look at $SHELL.  Is there any way to disable a user to log into a different shell?



------=_Part_13465_14447030.1188621640094-- --===============1700099642== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug --===============1700099642==-- From plug-bounces@lists.phillylinux.org Sat Sep 01 04:57:47 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 7129 invoked from network); 1 Sep 2007 04:57:41 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 04:57:41 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 7093 invoked by uid 107); 1 Sep 2007 04:57:38 -0000 Received: from wa-out-1112.google.com (HELO wa-out-1112.google.com) (209.85.146.182) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 00:57:38 -0400 Received: by wa-out-1112.google.com with SMTP id j40so1280611wah for ; Fri, 31 Aug 2007 21:57:34 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WBaQMrUvgRwGXDqe85c8JT2UDHzcru+1Di0O0cybK/DxqlB/eI4brTVspZgS9r9Ta2uc/vlvKFhU4WGHhKBgjfGhd71pzDt+Uf8EUe5on2+mMiFPDXsofpxrguZgWyvwFWmwDCEWvxCIImgbaoz0ivOR2wGmhb48uen7L5D33TI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=OYhaDluGOyBeCJb1OLkDUV/C/wkDjk7xPz68YoX5Id0oGB8qMEvvA9dIAZ/r9ZbpJL6Ar3lQzi4ru4MkVfiUxa2xQP+x1RGwDABm5gZ4YRTI99j0uo3fWYBeHFioNAONhgqvxRDRhJpNltZHtWCxkRgJotmvVXqx9t9Mi4OAzlI= Received: by 10.142.251.9 with SMTP id y9mr113043wfh.1188622654611; Fri, 31 Aug 2007 21:57:34 -0700 (PDT) Received: by 10.143.166.21 with HTTP; Fri, 31 Aug 2007 21:57:34 -0700 (PDT) Message-ID: <367e1abe0708312157m7d272cb0p1384775392740847@mail.gmail.com> Date: Sat, 1 Sep 2007 00:57:34 -0400 From: "Douglas Muth" To: "Philadelphia Linux User's Group Discussion List" Subject: Re: [PLUG] shell script help... In-Reply-To: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org On 9/1/07, Mag Gam wrote: [snip] > > My question is, if a user changes his shell from bash to ksh to tcsh, I am > not able to get the output because I have my trap + exit to look at $SHELL. > Is there any way to disable a user to log into a different shell? Yes. Check /etc/shells and the manpage for the "chsh" command. :-) -- Doug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Sat Sep 01 05:30:06 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 10440 invoked from network); 1 Sep 2007 05:30:03 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 05:30:03 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 10390 invoked by uid 107); 1 Sep 2007 05:30:01 -0000 Received: from mpv3.TIS.CWRU.Edu (HELO mpv3.TIS.cwru.edu) (129.22.105.35) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 01:30:01 -0400 Received: from mpv2.tis.cwru.edu (mpv2.TIS.CWRU.Edu [129.22.105.37]) by mpv3.TIS.cwru.edu (MOS 3.8.5-GA) with ESMTP id BYK62746 for ; Sat, 1 Sep 2007 01:29:53 -0400 (EDT) Received: from v129-22-126-106.vclient.cwru.edu (v129-22-126-106.VCLIENT.CWRU.Edu [129.22.126.106]) by mpv2.tis.cwru.edu (MOS 3.8.2-GA) with ESMTP id CML59324 for ; Sat, 1 Sep 2007 01:29:53 -0400 (EDT) From: Matthew Rosewarne To: "Philadelphia Linux User's Group Discussion List" Subject: Re: [PLUG] shell script help... Date: Sat, 1 Sep 2007 01:29:42 -0400 User-Agent: KMail/1.9.7 References: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> In-Reply-To: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> MIME-Version: 1.0 Message-Id: <200709010129.47992.mukidohime@case.edu> X-Junkmail-Status: score=10/49, host=mpv3.cwru.edu X-Junkmail-SD-Raw: score=unknown, refid=str=0001.0A090205.46D8F8D5.004B,ss=1,fgs=0, ip=129.22.105.37, so=2007-07-31 18:51:00, dmn=5.3.14/2007-05-31 X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0101212788==" Mime-version: 1.0 Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org --===============0101212788== Content-Type: multipart/signed; boundary="nextPart1577481.Jy6zKfPpiR"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit --nextPart1577481.Jy6zKfPpiR Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 01 September 2007, Mag Gam wrote: > I am in the process of writing a shell script to take history file (fc -l) > and backup it up, while appending it. > > My strategy is, once the user exits out of his shell, i will dump the > history into a file by using a trap() with EXIT. The file will be appended > by the username... (ie, username.history.date I would not attempt to rely on this for any measure of security, as it can = be=20 easily circumvented by users. For example, one could: A: Subshell, then remove the history file $ bash {nefarious commands...} $ exit $ rm ~/.bash_history $ logout B. Subshell, invoked with invalid or non-existant history file $ HISTFILE=3D"" bash {nefarious commands...} $ exit $ logout All of this could just as easily be hidden in a script, making it very=20 difficult to catch. It would be a better idea to use IDS/auditing software= =20 than to rely on something controlled by the user. --nextPart1577481.Jy6zKfPpiR Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBG2PjLLE8yW/+QbWIRAjfmAJ4lgpR+CrQRVGhZb5csdpsz1ewJ3ACeLLhf DCzI2RmIWAvTApxYuCx6ZPc= =PhNS -----END PGP SIGNATURE----- --nextPart1577481.Jy6zKfPpiR-- --===============0101212788== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug --===============0101212788==-- From plug-bounces@lists.phillylinux.org Sat Sep 01 05:45:31 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 13297 invoked from network); 1 Sep 2007 05:45:28 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 05:45:28 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 13263 invoked by uid 107); 1 Sep 2007 05:45:24 -0000 Received: from mu-out-0910.google.com (HELO mu-out-0910.google.com) (209.85.134.185) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 01:45:24 -0400 Received: by mu-out-0910.google.com with SMTP id w8so963850mue for ; Fri, 31 Aug 2007 22:45:20 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:reply-to:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; b=kNgaDsUlJyB0hGrcc966oImpRATPm+y2+sUhSpxoPPp7rF0yCJs7HYJ1U6nvmintbfhNhxC87FDZVQyQApcWBghMdAR/pcXEoRsj878anw+MbGFEPR+xpuxfiWS45m5PaXwhu8HJWp2x4QhZoun2yLHlMwRRjZsEfN+go03WEXY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:reply-to:sender:to:subject:in-reply-to:mime-version:content-type:references:x-google-sender-auth; b=D6BxHIVp4GgxUZ41qvbwGI4e02E3FiJUpse0sscblonsYFGxlkoKGwHENxZ8byLXsJhZN1N84YGH7PnvsejGNbGORsfsamYaGXw6fcr9YDtGJz151AQqQteOJ0pX0caznAzVxpnImlNymT3y3o6OuRmt5sOlviaWEPy7Y4OMma0= Received: by 10.86.71.1 with SMTP id t1mr1359524fga.1188625520290; Fri, 31 Aug 2007 22:45:20 -0700 (PDT) Received: by 10.86.91.6 with HTTP; Fri, 31 Aug 2007 22:45:20 -0700 (PDT) Message-ID: <5bc232280708312245q505161b2v33d78f3523f57161@mail.gmail.com> Date: Sat, 1 Sep 2007 01:45:20 -0400 From: "Neill R" To: "Philadelphia Linux User's Group Discussion List" Subject: Re: [PLUG] .bash_history In-Reply-To: <1188319369.17337.1.camel@nathan.myhome.westell.com> MIME-Version: 1.0 References: <5bc232280708280848r5c9f7d31u9488f6adbcdaa128@mail.gmail.com> <1188319369.17337.1.camel@nathan.myhome.westell.com> X-Google-Sender-Auth: 5d77c889f194eee0 X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: neill@nsyd.com, Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0280704600==" Mime-version: 1.0 Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org --===============0280704600== Content-Type: multipart/alternative; boundary="----=_Part_245_31544869.1188625520260" ------=_Part_245_31544869.1188625520260 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Anyone out there know how to do what Anthony suggested, "wrap bash with a "script" Thanks Neill On 8/28/07, Antony P Joseph wrote: > > wrap bash with "script". You can get everything a user does > On Tue, 2007-08-28 at 11:48 -0400, Neill R wrote: > > Typically, when a user logs into a system, their keyboard activity is > > recorded in .bash_history (if using bash) > > > > Is there a way I can record activity from a users shell but have it > > log to /root/session.txt for example. The motive is strictly for > > curiosity sake, but I can see a need for auditing user activity in the > > future. > > > > Thanks in advance > > > ___________________________________________________________________________ > > Philadelphia Linux Users Group -- > http://www.phillylinux.org > > Announcements - > http://lists.phillylinux.org/mailman/listinfo/plug-announce > > General Discussion -- > http://lists.phillylinux.org/mailman/listinfo/plug > > > ___________________________________________________________________________ > Philadelphia Linux Users Group -- > http://www.phillylinux.org > Announcements - > http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- > http://lists.phillylinux.org/mailman/listinfo/plug > ------=_Part_245_31544869.1188625520260 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Anyone out there know how to do what Anthony suggested, "wrap bash with a "script"

Thanks
Neill



On 8/28/07, Antony P Joseph <antony@panathara.org> wrote:
wrap bash with "script". You can get everything a user does
On Tue, 2007-08-28 at 11:48 -0400, Neill R wrote:
> Typically, when a user logs into a system, their keyboard activity is
> recorded in .bash_history (if using bash)
>
> Is there a way I can record activity from a users shell but have it
> log to /root/session.txt for example.   The motive is strictly for
> curiosity sake, but I can see a need for auditing user activity in the
> future.
>
> Thanks in advance
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

------=_Part_245_31544869.1188625520260-- --===============0280704600== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug --===============0280704600==-- From plug-bounces@lists.phillylinux.org Sat Sep 01 06:07:48 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 15427 invoked from network); 1 Sep 2007 06:07:46 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 06:07:46 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 15391 invoked by uid 107); 1 Sep 2007 06:07:42 -0000 Received: from mpv3.TIS.CWRU.Edu (HELO mpv3.TIS.cwru.edu) (129.22.105.35) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 02:07:42 -0400 Received: from mpv6.tis.cwru.edu (mpv6.TIS.CWRU.Edu [129.22.104.221]) by mpv3.TIS.cwru.edu (MOS 3.8.5-GA) with ESMTP id BYK64084; Sat, 1 Sep 2007 02:07:38 -0400 (EDT) Received: from v129-22-124-13.vclient.cwru.edu (v129-22-124-13.VCLIENT.CWRU.Edu [129.22.124.13]) by mpv6.tis.cwru.edu (MOS 3.8.3-GA) with ESMTP id CGD57036; Sat, 1 Sep 2007 02:07:37 -0400 (EDT) From: Matthew Rosewarne To: neill@nsyd.com, "Philadelphia Linux User's Group Discussion List" Subject: Re: [PLUG] .bash_history Date: Sat, 1 Sep 2007 02:07:27 -0400 User-Agent: KMail/1.9.7 References: <5bc232280708280848r5c9f7d31u9488f6adbcdaa128@mail.gmail.com> <1188319369.17337.1.camel@nathan.myhome.westell.com> <5bc232280708312245q505161b2v33d78f3523f57161@mail.gmail.com> In-Reply-To: <5bc232280708312245q505161b2v33d78f3523f57161@mail.gmail.com> MIME-Version: 1.0 Message-Id: <200709010207.34527.mukidohime@case.edu> X-Junkmail-Status: score=10/49, host=mpv3.cwru.edu X-Junkmail-SD-Raw: score=unknown, refid=str=0001.0A090207.46D901AA.0070,ss=1,fgs=0, ip=129.22.104.221, so=2007-07-31 18:51:00, dmn=5.3.14/2007-05-31 X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============1795163880==" Mime-version: 1.0 Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org --===============1795163880== Content-Type: multipart/signed; boundary="nextPart1202775.CiNrejUqkm"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit --nextPart1202775.CiNrejUqkm Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 01 September 2007, Neill R wrote: > Anyone out there know how to do what Anthony suggested, "wrap bash with a > "script" "script" is a command that makes an exact log of all input and output to a= =20 terminal. He was suggesting you set the users' shells to be run=20 using "script" as to produce a log of their actions. See the manual page=20 for "script" for more info on it. Presumably, you would write a shell script that runs a shell using=20 the "script" command, and set it as the login shell for the users you want = to=20 monitor. --nextPart1202775.CiNrejUqkm Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBG2QGmLE8yW/+QbWIRAoMnAKC9N3gfHZXBVnaGheP+tdEM1XsZ4wCfcCeo bDQLnuD7iCuQfPUUdMtAbH0= =cwsC -----END PGP SIGNATURE----- --nextPart1202775.CiNrejUqkm-- --===============1795163880== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug --===============1795163880==-- From plug-bounces@lists.phillylinux.org Sat Sep 01 06:31:57 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 17672 invoked from network); 1 Sep 2007 06:31:54 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 06:31:54 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 17637 invoked by uid 107); 1 Sep 2007 06:31:51 -0000 Received: from smtp.jpsdomain.org (HELO smtp.jpsdomain.org) (66.92.238.114) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 02:31:51 -0400 Received: from [192.168.99.121] (unknown [192.168.99.121]) by smtp.jpsdomain.org (Postfix) with ESMTP id 911B87C8020 for ; Sat, 1 Sep 2007 02:31:25 -0400 (EDT) Message-ID: <46D9073E.9000600@jpsdomain.org> Date: Sat, 01 Sep 2007 02:31:26 -0400 From: JP Vossen User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: plug@lists.phillylinux.org Subject: Re: [PLUG] shell script help... References: <20070901054637.D97547C8020@smtp.jpsdomain.org> In-Reply-To: <20070901054637.D97547C8020@smtp.jpsdomain.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org Date: Sat, 1 Sep 2007 01:29:42 -0400 From: Matthew Rosewarne Subject: Re: [PLUG] shell script help... On Saturday 01 September 2007, Mag Gam wrote: > > I am in the process of writing a shell script to take history file > > (fc -l) and backup it up, while appending it. > > > > My strategy is, once the user exits out of his shell, i will dump > > the history into a file by using a trap() with EXIT. The file will > > be appended by the username... (ie, username.history.date > I would not attempt to rely on this for any measure of security, as it > can be easily circumvented by users. I strongly agree. To the best of my knowledge there is *no way* to do this without using a modified kernel (or maybe kernel module) that captures keystrokes. This is discussed in _Know Your Enemy_ on pages 38-40 and is probably covered in various places at http://honeynet.org/. Someone above noted that you can lock down shells by editing /etc/shells, but that won't prevent someone from simply running a different shell. You could attempt to remove all shells but bash from the system, then try to implement some trap/history scheme as described, but I'd bet *something* on the system will break if you do that. Bash's history is pretty handy (try 'help fc' and 'help history') but it's not intended for security or auditing. Later, JP ----------------------------|:::======|------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ----------------------------|=========|------------------------------- Microsoft has single-handedly nullified Moore's Law. Innate design flaws of Windows make a personal firewall, anti-virus and anti-malware software mandatory. The resulting software arms race has effectively flattened Moore's Law on hardware running Windows. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Sat Sep 01 10:58:54 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 10931 invoked from network); 1 Sep 2007 10:58:54 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 10:58:54 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 10914 invoked by uid 107); 1 Sep 2007 10:58:51 -0000 Received: from nf-out-0910.google.com (HELO nf-out-0910.google.com) (64.233.182.184) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 06:58:50 -0400 Received: by nf-out-0910.google.com with SMTP id 4so980240nfv for ; Sat, 01 Sep 2007 03:58:49 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=HO7WwdkK58W/MP3pqISI0K8ym76T5KdXwwaobu6Kz59BX1Z+2xDGPElfLyLW/3jh6FBgrqVOIqnlY7UR07EqdFDr6tRUrj4yAK+tgjKmFOx1dV/m71Xa9i+c1kXHVeyVRua/oRI8NghdzilsvjmA6ZJOR8GXu9kgUwAgYlHGGd8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=Sw3rOOUzcSscGQ86V/PU4xcJ4haD4waHEYoayPpEon9ropUPH/wCjS4n5Bst2pEssJ9xlSupn2matFYOCj/jvVsrKhhE0hopHcz4yP7gLP2slIQBoE0Fmd9SMqT6iqvyagDcn5Ra70jBF2LLVEtCckOu2rc+mv67rxtDZERq+B0= Received: by 10.78.204.1 with SMTP id b1mr2028182hug.1188644329174; Sat, 01 Sep 2007 03:58:49 -0700 (PDT) Received: by 10.78.196.17 with HTTP; Sat, 1 Sep 2007 03:58:49 -0700 (PDT) Message-ID: Date: Sat, 1 Sep 2007 06:58:49 -0400 From: "K.S. Bhaskar" To: "Philadelphia Linux User's Group Discussion List" Subject: Re: [PLUG] shell script help... In-Reply-To: <46D9073E.9000600@jpsdomain.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070901054637.D97547C8020@smtp.jpsdomain.org> <46D9073E.9000600@jpsdomain.org> X-Google-Sender-Auth: 647d1482249db422 X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org Mag presents us with a solution and then asks about improving it. Without knowing what problem the problem is, it's hard to opine on the solution. FWIW, might rbash be a way to restrict the shells that a user can run? Also http://seclists.org/pen-test/2005/Jul/0073.html gives a FOSS way to implement keystroke logging, at least for shells. Regards -- Bhaskar ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Sat Sep 01 13:28:33 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 26534 invoked from network); 1 Sep 2007 13:28:30 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 13:28:30 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 26498 invoked by uid 107); 1 Sep 2007 13:28:28 -0000 Received: from rcmdvxcm4-ob1.cavtel.net (HELO rcmdvxcm4-ob1.cavtel.net) (64.83.1.89) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 09:28:28 -0400 Received: from lucii.dnsalias.org (static-67-62-105-63.dsl.cavtel.net [67.62.105.63]) by rcmdvxcm4-ob1.cavtel.net (Postfix) with SMTP id 4159F4B290 for ; Sat, 1 Sep 2007 09:27:00 -0400 (EDT) Received: (qmail 13884 invoked by uid 453); 1 Sep 2007 13:28:23 -0000 Received: from ursa.lucii.dnsalias.org (HELO [192.168.1.2]) (192.168.1.2) by lucii.dnsalias.org (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 09:28:22 -0400 Message-ID: <46D96937.1010406@lucii.org> Date: Sat, 01 Sep 2007 09:29:27 -0400 From: Eric User-Agent: Thunderbird 1.5.0.12 (X11/20060911) MIME-Version: 1.0 To: Philadelphia Linux User's Group Discussion List Subject: Re: [PLUG] shell script help... References: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> In-Reply-To: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> X-Enigmail-Version: 0.94.2.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org Mag Gam wrote: > I am in the process of writing a shell script to take history file (fc > -l) and backup it up, while appending it. > > My strategy is, once the user exits out of his shell, i will dump the > history into a file by using a trap() with EXIT. The file will be > appended by the username... (ie, username.history.date > > My question is, if a user changes his shell from bash to ksh to tcsh, I > am not able to get the output because I have my trap + exit to look at > $SHELL. Is there any way to disable a user to log into a different shell? My understanding is that a shell script is not a sure thing for this kind of task and the other comments seem to support this. Another work-around would be for someone to invoke vi or emacs, place evil and/or unauthorized commands in a shell script and then invoke that script. If they named it "bc" (for example) and set their path (or alias the command) accordingly then the history of their shell commands would not show you what they were doing. If you have the time and need 100% assurance then I'd edit the source of all the available shells on the machine in question to add the functionality you need. Eric -- # Eric Lucas # # "Oh, I have slipped the surly bond of earth # And danced the skies on laughter-silvered wings... # -- John Gillespie Magee Jr ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Sat Sep 01 13:51:19 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 30082 invoked from network); 1 Sep 2007 13:51:16 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 13:51:16 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 30048 invoked by uid 107); 1 Sep 2007 13:51:13 -0000 Received: from an-out-0708.google.com (HELO an-out-0708.google.com) (209.85.132.251) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 09:51:13 -0400 Received: by an-out-0708.google.com with SMTP id c37so200315anc for ; Sat, 01 Sep 2007 06:51:09 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=S1yvMXwfnAQA7uxPVLF3w6PJ78/xP2IJgGFgAfmlpAwVY3Hcx3YRc2ap8hHrDxVChOn8buHoGejbMpISFVG7quKOrxf9hx0XyTajjDWVFXqmJpgBKLkVm7wQGaU5GPRY5rsqFpB/Lzqzq68eetZu4EQvbyHqgin1MFVkH6gZ07k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=E9EyKBGigUr0gAbLiFaDIyJMkeZgmbcCxUruDqPUHnPLYX5mGtikekzPabLr0ay0fgL2UgbWDwcs+ZojV1be5vXt64oG2l+/uSDmIDw2P1IzuM/WPYCJaSeqEOTcwHlqRZQWtF0FMlQ483SW9Psvxc8u72xoPnxNeMrAlvOnxa4= Received: by 10.100.121.12 with SMTP id t12mr2492659anc.1188654669446; Sat, 01 Sep 2007 06:51:09 -0700 (PDT) Received: by 10.100.32.8 with HTTP; Sat, 1 Sep 2007 06:51:09 -0700 (PDT) Message-ID: <1cbd6f830709010651s4e6dd9bdq8e8c2e65d7541d78@mail.gmail.com> Date: Sat, 1 Sep 2007 09:51:09 -0400 From: "Mag Gam" To: "Philadelphia Linux User's Group Discussion List" Subject: Re: [PLUG] shell script help... In-Reply-To: <200709010129.47992.mukidohime@case.edu> MIME-Version: 1.0 References: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> <200709010129.47992.mukidohime@case.edu> X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0063190593==" Mime-version: 1.0 Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org --===============0063190593== Content-Type: multipart/alternative; boundary="----=_Part_1977_26292739.1188654669408" ------=_Part_1977_26292739.1188654669408 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Wow..didn't think about this. B. Subshell, invoked with invalid or non-existant history file $ HISTFILE="" bash {nefarious commands...} $ exit $ logout On 9/1/07, Matthew Rosewarne wrote: > > On Saturday 01 September 2007, Mag Gam wrote: > > I am in the process of writing a shell script to take history file (fc > -l) > > and backup it up, while appending it. > > > > My strategy is, once the user exits out of his shell, i will dump the > > history into a file by using a trap() with EXIT. The file will be > appended > > by the username... (ie, username.history.date > > I would not attempt to rely on this for any measure of security, as it can > be > easily circumvented by users. For example, one could: > > A: Subshell, then remove the history file > $ bash > {nefarious commands...} > $ exit > $ rm ~/.bash_history > $ logout > > B. Subshell, invoked with invalid or non-existant history file > $ HISTFILE="" bash > {nefarious commands...} > $ exit > $ logout > > All of this could just as easily be hidden in a script, making it very > difficult to catch. It would be a better idea to use IDS/auditing > software > than to rely on something controlled by the user. > > > ___________________________________________________________________________ > Philadelphia Linux Users Group -- > http://www.phillylinux.org > Announcements - > http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- > http://lists.phillylinux.org/mailman/listinfo/plug > > > ------=_Part_1977_26292739.1188654669408 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Wow..didn't think about this.
B. Subshell, invoked with invalid or non-existant history file
       $ HISTFILE="" bash
               {nefarious commands...}
       $ exit
       $ logout





On 9/1/07, Matthew Rosewarne <mukidohime@case.edu> wrote:
On Saturday 01 September 2007, Mag Gam wrote:
> I am in the process of writing a shell script to take history file (fc -l)
> and backup it up, while appending it.
>
> My strategy is, once the user exits out of his shell, i will dump the
> history into a file by using a trap() with EXIT. The file will be appended
> by the username... (ie, username.history.date

I would not attempt to rely on this for any measure of security, as it can be
easily circumvented by users.  For example, one could:

A: Subshell, then remove the history file
        $ bash
                {nefarious commands...}
        $ exit
        $ rm ~/.bash_history
        $ logout

B. Subshell, invoked with invalid or non-existant history file
        $ HISTFILE="" bash
                {nefarious commands...}
        $ exit
        $ logout

All of this could just as easily be hidden in a script, making it very
difficult to catch.  It would be a better idea to use IDS/auditing software
than to rely on something controlled by the user.

___________________________________________________________________________
Philadelphia Linux Users Group         --         http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug



------=_Part_1977_26292739.1188654669408-- --===============0063190593== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug --===============0063190593==-- From plug-bounces@lists.phillylinux.org Sat Sep 01 13:52:51 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 30655 invoked from network); 1 Sep 2007 13:52:43 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 13:52:43 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 30605 invoked by uid 107); 1 Sep 2007 13:52:36 -0000 Received: from an-out-0708.google.com (HELO an-out-0708.google.com) (209.85.132.247) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 09:52:36 -0400 Received: by an-out-0708.google.com with SMTP id c37so200355anc for ; Sat, 01 Sep 2007 06:52:32 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=LjL/7mtz24UipiAF+m58/EdcD9Sco/SbOKWLHolrtS0bvHJUZQyGuKcnzAaNCTcwNpKXDdn7/P/XzvH/pdXeFCCuKLwgFYM+UOP4DIIGW/ZYEC9GkhfKVg2kNPm1yiEZkKJSSFOEeU8IMl00DWNNWOCCcLleZV8n96F+Q1EUU4M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=rGcQzheuvoNWkoZ3YaR1HvZEfS0dY1YkeFOK09QmlP+EpqrrGQ+zRfUAPhsivlD8QqOY1uKzfelGKXqETD+VJcMhk1P1h6v79JamI9b85m6X7KiPm9yCf808d1G3b6n7GK1cQxalAVLoNg9NAIX7ol5t+QdAKGVFxqEo19S2mgw= Received: by 10.100.3.20 with SMTP id 20mr2502010anc.1188654752612; Sat, 01 Sep 2007 06:52:32 -0700 (PDT) Received: by 10.100.32.8 with HTTP; Sat, 1 Sep 2007 06:52:32 -0700 (PDT) Message-ID: <1cbd6f830709010652x7be3580dr7a8e55e7237c9142@mail.gmail.com> Date: Sat, 1 Sep 2007 09:52:32 -0400 From: "Mag Gam" To: "Philadelphia Linux User's Group Discussion List" Subject: Re: [PLUG] shell script help... In-Reply-To: <1cbd6f830709010651s4e6dd9bdq8e8c2e65d7541d78@mail.gmail.com> MIME-Version: 1.0 References: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> <200709010129.47992.mukidohime@case.edu> <1cbd6f830709010651s4e6dd9bdq8e8c2e65d7541d78@mail.gmail.com> X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0091162531==" Mime-version: 1.0 Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org --===============0091162531== Content-Type: multipart/alternative; boundary="----=_Part_1981_4282103.1188654752371" ------=_Part_1981_4282103.1188654752371 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Would wrapping "script" do better user auditing? or are there any downsides for that? On 9/1/07, Mag Gam wrote: > > Wow..didn't think about this. > B. Subshell, invoked with invalid or non-existant history file > $ HISTFILE="" bash > {nefarious commands...} > $ exit > $ logout > > > > > > On 9/1/07, Matthew Rosewarne wrote: > > > On Saturday 01 September 2007, Mag Gam wrote: > > > I am in the process of writing a shell script to take history file (fc > > -l) > > > and backup it up, while appending it. > > > > > > My strategy is, once the user exits out of his shell, i will dump the > > > history into a file by using a trap() with EXIT. The file will be > > appended > > > by the username... (ie, username.history.date > > > > I would not attempt to rely on this for any measure of security, as it > > can be > > easily circumvented by users. For example, one could: > > > > A: Subshell, then remove the history file > > $ bash > > {nefarious commands...} > > $ exit > > $ rm ~/.bash_history > > $ logout > > > > B. Subshell, invoked with invalid or non-existant history file > > $ HISTFILE="" bash > > {nefarious commands...} > > $ exit > > $ logout > > > > All of this could just as easily be hidden in a script, making it very > > difficult to catch. It would be a better idea to use IDS/auditing > > software > > than to rely on something controlled by the user. > > > > > > ___________________________________________________________________________ > > Philadelphia Linux Users Group -- > > http://www.phillylinux.org > > Announcements - > > http://lists.phillylinux.org/mailman/listinfo/plug-announce > > General Discussion -- > > http://lists.phillylinux.org/mailman/listinfo/plug > > > > > > > ------=_Part_1981_4282103.1188654752371 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Would wrapping "script" do better user auditing? or are there any downsides for that?



On 9/1/07, Mag Gam < magawake@gmail.com> wrote:
Wow..didn't think about this.
B. Subshell, invoked with invalid or non-existant history file
       $ HISTFILE="" bash
               {nefarious commands...}
       $ exit
       $ logout





On 9/1/07, Matthew Rosewarne < mukidohime@case.edu> wrote:
On Saturday 01 September 2007, Mag Gam wrote:
> I am in the process of writing a shell script to take history file (fc -l)
> and backup it up, while appending it.
>
> My strategy is, once the user exits out of his shell, i will dump the
> history into a file by using a trap() with EXIT. The file will be appended
> by the username... (ie, username.history.date

I would not attempt to rely on this for any measure of security, as it can be
easily circumvented by users.  For example, one could:

A: Subshell, then remove the history file
        $ bash
                {nefarious commands...}
        $ exit
        $ rm ~/.bash_history
        $ logout

B. Subshell, invoked with invalid or non-existant history file
        $ HISTFILE="" bash
                {nefarious commands...}
        $ exit
        $ logout

All of this could just as easily be hidden in a script, making it very
difficult to catch.  It would be a better idea to use IDS/auditing software
than to rely on something controlled by the user.

___________________________________________________________________________
Philadelphia Linux Users Group         --         http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug




------=_Part_1981_4282103.1188654752371-- --===============0091162531== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug --===============0091162531==-- From plug-bounces@lists.phillylinux.org Sat Sep 01 14:29:12 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 2170 invoked from network); 1 Sep 2007 14:29:04 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 14:29:04 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 2136 invoked by uid 107); 1 Sep 2007 14:29:01 -0000 Received: from nf-out-0910.google.com (HELO nf-out-0910.google.com) (64.233.182.186) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 10:29:01 -0400 Received: by nf-out-0910.google.com with SMTP id 4so1014040nfv for ; Sat, 01 Sep 2007 07:29:00 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=TLYX8E1o/4R+aEIgEYOHYz0FaAAZEdw+9XoH7AiDT7bnGbSK0Z6A4ER5icOfGVmnN8TJ3NQJiXVt6yMpybRICwDY5ApKZj7q5guXze5tOJZ8WbKqn34bpFONQKjIe4Kvpe1t3LS7oofGvxTSEptcugeUyv/xSJrK9pmM09hU/V4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=E+7AQww96fGTeAnQc41Z1oKvbuTL9U7KwZ85reTmWl/uqGeL3YX/ERbqT2lkTR67NjJQDnGuGSeF+pdDrU9kZiL9X1cgKN4NU2eEo6enqGm9LdjMiy5xNnuumeu/JvmpxhPMx17YQNJrgvvwG6h1sjOgmJP9whLfu6WHSngRuxs= Received: by 10.78.140.17 with SMTP id n17mr2177457hud.1188656939796; Sat, 01 Sep 2007 07:28:59 -0700 (PDT) Received: by 10.78.196.17 with HTTP; Sat, 1 Sep 2007 07:28:59 -0700 (PDT) Message-ID: Date: Sat, 1 Sep 2007 10:28:59 -0400 From: "K.S. Bhaskar" To: "Philadelphia Linux User's Group Discussion List" Subject: Re: [PLUG] shell script help... In-Reply-To: <1cbd6f830709010652x7be3580dr7a8e55e7237c9142@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> <200709010129.47992.mukidohime@case.edu> <1cbd6f830709010651s4e6dd9bdq8e8c2e65d7541d78@mail.gmail.com> <1cbd6f830709010652x7be3580dr7a8e55e7237c9142@mail.gmail.com> X-Google-Sender-Auth: fdabe194fd263dcc X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org On 9/1/07, Mag Gam wrote: > Would wrapping "script" do better user auditing? or are there any downsides > for that? [KSB] I still don't understand what you are trying to accomplish. An approach based on script can be used to keep tabs on honest and / or unsophisticated users. If you are protecting against or detecting sophisticated users who may be trying to do something they don't want you to know about, this approach is far short of what is needed. What problem are you trying to solve? Regards -- Bhaskar ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Sat Sep 01 15:08:08 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 7122 invoked from network); 1 Sep 2007 15:08:03 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 15:08:03 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 7085 invoked by uid 107); 1 Sep 2007 15:08:00 -0000 Received: from mout.perfora.net (HELO mout.perfora.net) (74.208.4.194) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 11:08:00 -0400 Received: from pool-141-158-50-209.phil.east.verizon.net [141.158.50.209] (helo=[192.168.0.240]) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis), id 0MKpCa-1IRUZl3DBs-0007NG; Sat, 01 Sep 2007 11:07:56 -0400 Subject: Re: [PLUG] .bash_history From: Antony P Joseph To: neill@nsyd.com, Philadelphia Linux User's Group Discussion List In-Reply-To: <5bc232280708312245q505161b2v33d78f3523f57161@mail.gmail.com> References: <5bc232280708280848r5c9f7d31u9488f6adbcdaa128@mail.gmail.com> <1188319369.17337.1.camel@nathan.myhome.westell.com> <5bc232280708312245q505161b2v33d78f3523f57161@mail.gmail.com> Content-Type: text/plain Date: Sat, 01 Sep 2007 11:06:25 -0400 Message-Id: <1188659185.17836.7.camel@nathan.myhome.westell.com> Mime-Version: 1.0 X-Mailer: Evolution 2.10.1 Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX1/or4zwFWw6dJXK3JhpiFDxk3i86pMvXbTCzM7 YkptqI1Y3R8iaVOGwiqG61SrBVLn6/wQOlnmIs0xf+fbQP3Nvf /vl4fB/41HSmx3AK62wkhePchVcBZwE X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org Hi There are many ways to implement the IPC mechanism to coordinate between the auditor user and the monitored user using TCP sockets, UNIX domain sockets, named pipes etc... Probably the easiest way is to use the named pipe. You can create one named pipe per monitored user with appropriate permission and ownership. The auditor user can read from the named pipe and record somewhere using "cat". The "script" can write into the named pipe. With regards Antony On Sat, 2007-09-01 at 01:45 -0400, Neill R wrote: > Anyone out there know how to do what Anthony suggested, "wrap bash > with a "script" > > Thanks > Neill > > > > On 8/28/07, Antony P Joseph wrote: > wrap bash with "script". You can get everything a user does > On Tue, 2007-08-28 at 11:48 -0400, Neill R wrote: > > Typically, when a user logs into a system, their keyboard > activity is > > recorded in .bash_history (if using bash) > > > > Is there a way I can record activity from a users shell but > have it > > log to /root/session.txt for example. The motive is > strictly for > > curiosity sake, but I can see a need for auditing user > activity in the > > future. > > > > Thanks in advance > > > ___________________________________________________________________________ > > Philadelphia Linux Users Group > -- http://www.phillylinux.org > > Announcements - > http://lists.phillylinux.org/mailman/listinfo/plug-announce > > General Discussion -- > http://lists.phillylinux.org/mailman/listinfo/plug > > ___________________________________________________________________________ > Philadelphia Linux Users Group > -- http://www.phillylinux.org > Announcements - > http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- > http://lists.phillylinux.org/mailman/listinfo/plug > > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Sat Sep 01 18:56:42 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 32135 invoked from network); 1 Sep 2007 18:56:39 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 18:56:39 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 32101 invoked by uid 107); 1 Sep 2007 18:56:35 -0000 Received: from smtp.jpsdomain.org (HELO smtp.jpsdomain.org) (66.92.238.114) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 14:56:35 -0400 Received: from [192.168.99.121] (unknown [192.168.99.121]) by smtp.jpsdomain.org (Postfix) with ESMTP id 0B26B7C8020 for ; Sat, 1 Sep 2007 14:56:09 -0400 (EDT) Message-ID: <46D9B5CA.9030003@jpsdomain.org> Date: Sat, 01 Sep 2007 14:56:10 -0400 From: JP Vossen User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: plug@lists.phillylinux.org Subject: Re: [PLUG] shell script help... References: <20070901143019.0CFE07C8020@smtp.jpsdomain.org> In-Reply-To: <20070901143019.0CFE07C8020@smtp.jpsdomain.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org > Date: Sat, 1 Sep 2007 06:58:49 -0400 > From: "K.S. Bhaskar" > Subject: Re: [PLUG] shell script help... > > > Also http://seclists.org/pen-test/2005/Jul/0073.html gives a FOSS way > to implement keystroke logging, at least for shells. I'd not see that, interesting. Parsing the output back into something usable look to be a bit ugly though. That link also reminded me of 'screen' and its ability to log sessions. The suggestions above wrt using 'script' or a shell script using 'script' as a default shell are interesting. 'screen' can do the same thing. I covered both of these in a slightly different context in the _bash Cookbook_ recipe 17.6 "Logging an entire Session or Batch Job." Note this was intended for logging output, not as any kind of user auditing or security mechanism. The thing that bugged me about the 'script' command is that I was unable to find a way to run a script inside 'script.' (The name also bugs me since it's obviously a bit tricky to talk about.) Once you run 'script' to generate a "typescript" you are sitting in a new shell and at a command prompt. I had a need to log a long section of output within an even longer session. So I had to turn on logging at some point, run stuff, then turn it off. I couldn't find a way to do that with script. But I was able to do with using 'screen'. From outside screen to grab *everything*: screen -L /path/to/logfile From inside screen (already running): # Set a log file and turn on logging screen -X logfile /path/to/logfile && screen -X log on # your commands here # Turn logging back off screen -X log off As noted 'screen' has other advantages such as being able to reconnect to it after a network glitch (recipe 17.4) or being able to share a session for t-shooting or training (17.5). I love 'screen.' I'd *guess* could could configure each user with a .screenrc file that they can't edit, that configures things as you want them, including logging, then set screen as their default shell. I'm not sure I think that's a great idea, but... The problem I see using either 'script' or 'screen' in this way is that you get *everything*. You get input, output, control characters from editing sessions, the works. So it gets big, and ugly. Fast. A denial of service attack is trivial, and if I was up to something, I'd generate a ton of noise and try to hide what I was doing in that. That's probably even easier in 'screen' as you could start up 3 or 4 windows running 'ls' commands and catting /dev/random, then sneak commands in. I'd guess all the output would get all mangled in the log, though to be honest I haven't looked into how 'screen' might handle that. GNU screen References: http://en.wikipedia.org/wiki/GNU_Screen Wikipedia on GNU screen http://www.kuro5hin.org/story/2004/3/9/16838/14935 GNU Screen: an introduction and beginner's tutorial http://www4.informatik.uni-erlangen.de/~jnweiger/screen-faq.html (unofficial) GNU screen FAQ http://www.delorie.com/gnu/docs/screen/screen_toc.html GNU screen docs http://unix.derkeiler.com/Newsgroups/comp.unix.shell/2004-04/0294.html Using gnu screen as default login shell (as that helpful) Later, JP ----------------------------|:::======|------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ----------------------------|=========|------------------------------- Microsoft has single-handedly nullified Moore's Law. Innate design flaws of Windows make a personal firewall, anti-virus and anti-malware software mandatory. The resulting software arms race has effectively flattened Moore's Law on hardware running Windows. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Sat Sep 01 19:30:53 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 3098 invoked from network); 1 Sep 2007 19:30:50 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 19:30:50 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 3061 invoked by uid 107); 1 Sep 2007 19:30:46 -0000 Received: from smtp.jpsdomain.org (HELO smtp.jpsdomain.org) (66.92.238.114) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 15:30:46 -0400 Received: from [192.168.99.121] (unknown [192.168.99.121]) by smtp.jpsdomain.org (Postfix) with ESMTP id 7541F7C8020 for ; Sat, 1 Sep 2007 15:30:20 -0400 (EDT) Message-ID: <46D9BDCD.1080207@jpsdomain.org> Date: Sat, 01 Sep 2007 15:30:21 -0400 From: JP Vossen User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: plug@lists.phillylinux.org Subject: Re: [PLUG] shell script help... References: <20070901054637.D97547C8020@smtp.jpsdomain.org> <46D9073E.9000600@jpsdomain.org> In-Reply-To: <46D9073E.9000600@jpsdomain.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org JP Vossen wrote: > To the best of my knowledge there is *no way* to do > this without using a modified kernel (or maybe kernel module) that > captures keystrokes. This is discussed in _Know Your Enemy_ on pages > 38-40 and is probably covered in various places at http://honeynet.org/. I poked into this a bit more today. The first edition copy of the book I have (copyright 2002) has a CD-ROM with a patch and a pre-compiled (old) bash that looks like it logs keystrokes to a syslog server. The patch on CD says: To apply this to a _clean_ bash-2.03 tree you do cd /usr/src/redhat/BUILD/bash-2.03 patch -p0 < filename by: Antonomasia See these for various versions of the code: http://web.archive.org/web/*/http://project.honeynet.org/papers/honeynet/bash.patch http://www.google.com/search?q=%220+means+no+sending+history+to+syslog%22 This avoids the possible DoS of using 'script' or 'screen' since you only get input. But then you still have the issue of using not-bash for evasion. Even if you can remove other shells (which I doubt), you can't get rid of Perl (or Python), so an attacker can fire up an editor and write trivial P* code to evade logging. Makes me think of the character in Stephenson's Cryptonomicon who needed to read a file without it being intercepted via Van Eck phreaking (AKA Tempest), so he programs his caps-lock key to blink the file to him in Morse code. I supposed a sufficiently determined attacked might be able to place code that would allow him to issue commands via Morse code using Shift, ALT, CTRL or some other key. :-) http://en.wikipedia.org/wiki/Van_Eck_phreaking http://en.wikipedia.org/wiki/TEMPEST http://en.wikipedia.org/wiki/Morse_code Later, JP ----------------------------|:::======|------------------------------- JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ----------------------------|=========|------------------------------- Microsoft has single-handedly nullified Moore's Law. Innate design flaws of Windows make a personal firewall, anti-virus and anti-malware software mandatory. The resulting software arms race has effectively flattened Moore's Law on hardware running Windows. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Sat Sep 01 21:25:38 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 15420 invoked from network); 1 Sep 2007 21:25:37 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 21:25:37 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 15386 invoked by uid 107); 1 Sep 2007 21:25:34 -0000 Received: from mu-out-0910.google.com (HELO mu-out-0910.google.com) (209.85.134.185) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 17:25:34 -0400 Received: by mu-out-0910.google.com with SMTP id w8so1189366mue for ; Sat, 01 Sep 2007 14:25:30 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=fCsoEajDnk2I21OiJb5wO/VLHexPzwDhaQGR0GE2tkVqVZxEqeAxeppwF3VDLZvPgNmrvmBp3dKtTpgqoJFg3pTzv4cX9LcE66fGxIMwK93+4ENP63jtF5Eo9brckvglohU4zKE/B6VFSWm9RrMAihPZrNBowo1A8smUA7bBG2c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=qW3rlyfb6WsfMACCzseG0mgn467cXMQRWgh1N9f3GOwXfRPRLAsYKrbiqFheqwLB+UUHJY7y2zgE/XH9bCt9abKm1AUOfj83phpAPS1vdyRTRwmSXcQ9bNqIpiefWO8ElkXlbHCLL7IXGVCRXgabUD0M4BTYME5V9V+WfcPekv8= Received: by 10.86.50.8 with SMTP id x8mr1940596fgx.1188681929774; Sat, 01 Sep 2007 14:25:29 -0700 (PDT) Received: by 10.86.84.6 with HTTP; Sat, 1 Sep 2007 14:25:29 -0700 (PDT) Message-ID: <967fcf060709011425o674cf239yaf2bea64f6f4f917@mail.gmail.com> Date: Sat, 1 Sep 2007 17:25:29 -0400 From: Jason To: "Philadelphia Linux User's Group Discussion List" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: [PLUG] Free to good home: AirPort Extreme card (A1026) X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org This found its way into my possession today. It's an A1026, mini PCI card from an iBook G4. Reportedly works in lots of different types of Macs as well. It's not the newer 802.11n model, just the .11g mini-pci model. It's at my house in Marlton. Come and take it, it's yours. Want me to mail it to you? Paypal me a couple of bucks to cover the US Mail's take.. Email me off-list for any further detail. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Sat Sep 01 22:25:03 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 21260 invoked from network); 1 Sep 2007 22:25:02 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 22:25:02 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 21206 invoked by uid 107); 1 Sep 2007 22:24:59 -0000 Received: from an-out-0708.google.com (HELO an-out-0708.google.com) (209.85.132.240) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 18:24:59 -0400 Received: by an-out-0708.google.com with SMTP id c37so214085anc for ; Sat, 01 Sep 2007 15:24:55 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=RJ+5f1PR/9jJqpdCJJyX3QkJSUGr7R9QReLyMWL5jQo/8VmC8FlYv0yAyT7Dm7FRa/u6bqRPnIz/8J5HuUSt/1kAYBl8AYdalhO/syqmgz0jguwPNlUpu/l0sBesY+mpCiURgs0N0OKM90dhYArVMlNqIHLkFFrOulHRymsJCwQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=qNLxRQMZdSgDmZPzbRZ52SlCAohuZ2Ef7vW6MWC1Chgu3yH1iVjUwqclajoZ/pxAseE8Ve6nFwhJDJNI53COpg7/sxllim9Nu1veCQqGcCLBlSamg0Sq/2fbnB4MS9aO5J1zpewl9ozD0yhBFpXiOM4041WVopgYY8PwQkGqoyw= Received: by 10.100.163.17 with SMTP id l17mr2693768ane.1188685495778; Sat, 01 Sep 2007 15:24:55 -0700 (PDT) Received: by 10.100.32.8 with HTTP; Sat, 1 Sep 2007 15:24:55 -0700 (PDT) Message-ID: <1cbd6f830709011524r2cd4f923uee2df558dd2ec96a@mail.gmail.com> Date: Sat, 1 Sep 2007 18:24:55 -0400 From: "Mag Gam" To: "Philadelphia Linux User's Group Discussion List" Subject: Re: [PLUG] shell script help... In-Reply-To: MIME-Version: 1.0 References: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> <200709010129.47992.mukidohime@case.edu> <1cbd6f830709010651s4e6dd9bdq8e8c2e65d7541d78@mail.gmail.com> <1cbd6f830709010652x7be3580dr7a8e55e7237c9142@mail.gmail.com> X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0223884880==" Mime-version: 1.0 Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org --===============0223884880== Content-Type: multipart/alternative; boundary="----=_Part_5498_936969.1188685495740" ------=_Part_5498_936969.1188685495740 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Management want to see who does or tries to do anything malicious. They want to see users' shell activity. On 9/1/07, K.S. Bhaskar wrote: > > On 9/1/07, Mag Gam wrote: > > Would wrapping "script" do better user auditing? or are there any > downsides > > for that? > > [KSB] I still don't understand what you are trying to accomplish. An > approach based on script can be used to keep tabs on honest and / or > unsophisticated users. If you are protecting against or detecting > sophisticated users who may be trying to do something they don't want > you to know about, this approach is far short of what is needed. > > What problem are you trying to solve? > > Regards > -- Bhaskar > > ___________________________________________________________________________ > Philadelphia Linux Users Group -- > http://www.phillylinux.org > Announcements - > http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- > http://lists.phillylinux.org/mailman/listinfo/plug > ------=_Part_5498_936969.1188685495740 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Management want to see who does or tries to do anything malicious. They want to see users' shell activity.



On 9/1/07, K.S. Bhaskar < bhaskar@bhaskars.com> wrote:
On 9/1/07, Mag Gam < magawake@gmail.com> wrote:
> Would wrapping "script" do better user auditing? or are there any downsides
> for that?

[KSB] I still don't understand what you are trying to accomplish.  An
approach based on script can be used to keep tabs on honest and / or
unsophisticated users.  If you are protecting against or detecting
sophisticated users who may be trying to do something they don't want
you to know about, this approach is far short of what is needed.

What problem are you trying to solve?

Regards
-- Bhaskar
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

------=_Part_5498_936969.1188685495740-- --===============0223884880== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug --===============0223884880==-- From plug-bounces@lists.phillylinux.org Sat Sep 01 23:26:07 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 27647 invoked from network); 1 Sep 2007 23:26:06 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 23:26:06 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 27613 invoked by uid 107); 1 Sep 2007 23:26:04 -0000 Received: from nf-out-0910.google.com (HELO nf-out-0910.google.com) (64.233.182.184) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 19:26:04 -0400 Received: by nf-out-0910.google.com with SMTP id 4so1075343nfv for ; Sat, 01 Sep 2007 16:26:03 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=UfVMMSTpfmfLjoDppy2kl8socAe3+k3h0AAUmS8tX8gRGAfblHgbN9DZDBJ8JPXW38Qz/0WzyRtGesavmaP/SVsROyUt2xELstcbFQ1zb10RQGwFPcnIj3QQy7WSTB3vXoKC/ninOzQKU/Fzct6K9cZopFG8i+xei+gjI2b1/7g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=spFFMIBHT+oxAsyOoySXbI7JQ5RnmKVWhSs4JEG/Fv56sXDbAMEipIqT1vQnt7Y3MD7ogxw4rIaEpoTfi0jlBBnKBct7VSdNVIqzMnwJaANMPw2agSEjYcpRsu/DVh0xTt79+hfRiuYBaLeinIU0ACRAK0+KDTVEaUzB0xP7laQ= Received: by 10.78.170.17 with SMTP id s17mr2392575hue.1188689162818; Sat, 01 Sep 2007 16:26:02 -0700 (PDT) Received: by 10.78.196.17 with HTTP; Sat, 1 Sep 2007 16:26:02 -0700 (PDT) Message-ID: Date: Sat, 1 Sep 2007 19:26:02 -0400 From: "K.S. Bhaskar" To: "Philadelphia Linux User's Group Discussion List" Subject: Re: [PLUG] shell script help... In-Reply-To: <1cbd6f830709011524r2cd4f923uee2df558dd2ec96a@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> <200709010129.47992.mukidohime@case.edu> <1cbd6f830709010651s4e6dd9bdq8e8c2e65d7541d78@mail.gmail.com> <1cbd6f830709010652x7be3580dr7a8e55e7237c9142@mail.gmail.com> <1cbd6f830709011524r2cd4f923uee2df558dd2ec96a@mail.gmail.com> X-Google-Sender-Auth: 57b1412f3bb4940b X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org On 9/1/07, Mag Gam wrote: > Management want to see who does or tries to do anything malicious. They want > to see users' shell activity. [KSB] OK, then you are not just trying to keep honest people honest or catch unintentional fat fingering. You are trying to protect against potential compromise of a security model by those who normally have access to the system. This is a harder proposition. You need to create a security model and then implement it. Depending on what users do normally, components in your implementation could include: - Restricted shells (e.g., rbash as the login shell). You could implement keystroke logging with rbash, as discussed earlier in this thread. - Screen - Mandatory access controls (e.,g SELinux, AppArmor) - Chroot jails - Limited functionality virtual machines (boot a vm when a user logs in) And more... Regards -- Bhaskar ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Sat Sep 01 23:42:08 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 30373 invoked from network); 1 Sep 2007 23:42:05 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 23:42:05 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 30339 invoked by uid 107); 1 Sep 2007 23:42:03 -0000 Received: from mail.lobefin.net (HELO mail.lobefin.net) (91.103.132.26) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 19:42:03 -0400 Received: from lobefin.net ([91.103.132.25] helo=hadrian.lobefin.net ident=Debian-exim) by mail.lobefin.net with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1IRcbF-0002VJ-3h for plug@lists.phillylinux.org; Sun, 02 Sep 2007 00:41:57 +0100 Received: from steve by hadrian.lobefin.net with local (Exim 4.63) (envelope-from ) id 1IRcbF-0004tM-Ms for plug@lists.phillylinux.org; Sun, 02 Sep 2007 00:41:57 +0100 Date: Sun, 2 Sep 2007 00:41:57 +0100 From: Stephen Gran To: plug@lists.phillylinux.org Subject: Re: [PLUG] shell script help... Message-ID: <20070901234157.GB17481@www.lobefin.net> Mail-Followup-To: plug@lists.phillylinux.org References: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> <200709010129.47992.mukidohime@case.edu> <1cbd6f830709010651s4e6dd9bdq8e8c2e65d7541d78@mail.gmail.com> <1cbd6f830709010652x7be3580dr7a8e55e7237c9142@mail.gmail.com> <1cbd6f830709011524r2cd4f923uee2df558dd2ec96a@mail.gmail.com> MIME-Version: 1.0 In-Reply-To: <1cbd6f830709011524r2cd4f923uee2df558dd2ec96a@mail.gmail.com> X-Editor: VIM - Vi IMproved 7.0 X-OS: Linux hadrian 2.6.18-5-686 i686 X-Uptime: 4 days X-Latin: Hodie postridie Kalendas Septembres MMDCCLX ab urbe condita est X-Date: Today is Setting Orange, the 26th day of Bureaucracy in the YOLD 3173 X-DDate: Only 2430266 Shopping Days =?utf-8?Q?Left_?= =?utf-8?Q?Before_X-Day=2E_Umlaut_Zebra_=FCber?= alles! X-Motto: debian/rules User-Agent: Mutt/1.5.13 (2006-08-11) X-Authenticated-Sender: steve X-Scanned-By: ClamAV 0.91.2/4118 on mail.lobefin.net; Sun, 02 Sep 2007 00:41:57 +0100 X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0337582322==" Mime-version: 1.0 Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org --===============0337582322== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment Content-Transfer-Encoding: quoted-printable On Sat, Sep 01, 2007 at 06:24:55PM -0400, Mag Gam said: > Management want to see who does or tries to do anything malicious. > They want to see users' shell activity. Given that management rarely know what they want or how they want to implement it, perhaps you want to think outside the task they've given you? Maybe the simplest would be to implement selinux, and restrict what users can actually do? selinux can be configured to log attempts to do restricted things. Maybe you just want to use acct to give management a warm fuzzy feeling that you know all the commands users have run, even though it isn't useful as a prevention measure? The entire idea of logging sessions sounds like a way to point fingers after the fact, rather than a real security measure or even a deterrent. Given the many ways that there are for a determined person to try and bypass the usual naive methods of capturing user activity, it does at least occur to me that the only reliable way to do this is at a lower level than the shell, and you'll want to look into kernel level auditing (or better, prevention). Good luck, --=20 -------------------------------------------------------------------------- | Stephen Gran | Bathquake, n.: The violent quake that | | steve@lobefin.net | rattles the entire house when the water | | http://www.lobefin.net/~steve | faucet is turned on to a certain point. | | | -- Rich Hall, "Sniglets" | -------------------------------------------------------------------------- --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG2fjFSYIMHOpZA44RArJHAKCGDXgHGkTxpyT1yzmHx/i5QkWkTQCgs++x 8cVvmOo8VF28gk2aYOU5eeA= =gSzM -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- --===============0337582322== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug --===============0337582322==-- From plug-bounces@lists.phillylinux.org Sat Sep 01 23:47:02 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 31265 invoked from network); 1 Sep 2007 23:46:59 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 1 Sep 2007 23:46:59 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 31229 invoked by uid 107); 1 Sep 2007 23:46:53 -0000 Received: from an-out-0708.google.com (HELO an-out-0708.google.com) (209.85.132.244) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 19:46:53 -0400 Received: by an-out-0708.google.com with SMTP id c37so215790anc for ; Sat, 01 Sep 2007 16:46:50 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=Q71NCJ2JBgauWu/rQsYFpvwPV8lSZxem1TN390EbBQOXoveZdrNm/c9pqA2z2ag6/ogd4YOu9NTkG1JW05GCpa0x/2iFigFNnNZahqNZHm2jDRPeEbWHqHKSn4JfYiwxJv5+BVncugZeObvnyP+0XBbc4x8QpxjpwVa9CF8HngU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=khMyjIH5OfJYw64o64UEEsU3dwG2aLFqlO/yBVgpnuKiqiY/sZ9z9dDDH/lN4b/gQGiccXI5dANsABISjQ4w8eXSR82BVem7X4G1+9gyBLJkf6uEb+vqLAqNCwVSmu2J9es/OU74v8HninjspgA1mut3pYg+eDCarMlBHamyk88= Received: by 10.100.127.1 with SMTP id z1mr2739441anc.1188690410078; Sat, 01 Sep 2007 16:46:50 -0700 (PDT) Received: by 10.100.32.8 with HTTP; Sat, 1 Sep 2007 16:46:49 -0700 (PDT) Message-ID: <1cbd6f830709011646k3c8776ear19bca636232e5d0b@mail.gmail.com> Date: Sat, 1 Sep 2007 19:46:49 -0400 From: "Mag Gam" To: "Philadelphia Linux User's Group Discussion List" Subject: Re: [PLUG] shell script help... In-Reply-To: MIME-Version: 1.0 References: <1cbd6f830708312140r4b8db84dj7e85e88fde19089@mail.gmail.com> <200709010129.47992.mukidohime@case.edu> <1cbd6f830709010651s4e6dd9bdq8e8c2e65d7541d78@mail.gmail.com> <1cbd6f830709010652x7be3580dr7a8e55e7237c9142@mail.gmail.com> <1cbd6f830709011524r2cd4f923uee2df558dd2ec96a@mail.gmail.com> X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============1744872007==" Mime-version: 1.0 Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org --===============1744872007== Content-Type: multipart/alternative; boundary="----=_Part_5682_10337182.1188690409789" ------=_Part_5682_10337182.1188690409789 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline >[KSB] OK, then you are not just trying to keep honest people honest or >catch unintentional fat fingering. You are trying to protect against >potential compromise of a security model by those who normally have >access to the system. This is a harder proposition. You need to >create a security model and then implement it. Nice way of putting it....they want to fire the person who does xxx the next time :-( Simple as that. Anyone have experience with auditd? Can that handle this type of task? On 9/1/07, K.S. Bhaskar wrote: > > On 9/1/07, Mag Gam wrote: > > Management want to see who does or tries to do anything malicious. They > want > > to see users' shell activity. > > [KSB] OK, then you are not just trying to keep honest people honest or > catch unintentional fat fingering. You are trying to protect against > potential compromise of a security model by those who normally have > access to the system. This is a harder proposition. You need to > create a security model and then implement it. > > Depending on what users do normally, components in your implementation > could include: > > - Restricted shells (e.g., rbash as the login shell). You could > implement keystroke logging with rbash, as discussed earlier in this > thread. > > - Screen > > - Mandatory access controls (e.,g SELinux, AppArmor) > > - Chroot jails > > - Limited functionality virtual machines (boot a vm when a user logs in) > > And more... > > Regards > -- Bhaskar > > ___________________________________________________________________________ > Philadelphia Linux Users Group -- > http://www.phillylinux.org > Announcements - > http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- > http://lists.phillylinux.org/mailman/listinfo/plug > ------=_Part_5682_10337182.1188690409789 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline
>[KSB] OK, then you are not just trying to keep honest people honest or
>catch unintentional fat fingering.  You are trying to protect against
>potential compromise of a security model by those who normally have
>access to the system.  This is a harder proposition.  You need to
>create a security model and then implement it.
 
Nice way of putting it....they want to fire the person who does xxx the next time :-(
Simple as that.
 
Anyone have experience with auditd? Can that handle this type of task?


 
On 9/1/07, K.S. Bhaskar <bhaskar@bhaskars.com> wrote:
On 9/1/07, Mag Gam <magawake@gmail.com> wrote:
> Management want to see who does or tries to do anything malicious. They want
> to see users' shell activity.

[KSB] OK, then you are not just trying to keep honest people honest or
catch unintentional fat fingering.  You are trying to protect against
potential compromise of a security model by those who normally have
access to the system.  This is a harder proposition.  You need to
create a security model and then implement it.

Depending on what users do normally, components in your implementation
could include:

- Restricted shells (e.g., rbash as the login shell).  You could
implement keystroke logging with rbash, as discussed earlier in this
thread.

- Screen

- Mandatory access controls (e.,g SELinux, AppArmor)

- Chroot jails

- Limited functionality virtual machines (boot a vm when a user logs in)

And more...

Regards
-- Bhaskar
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

------=_Part_5682_10337182.1188690409789-- --===============1744872007== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug --===============1744872007==-- From plug-bounces@lists.phillylinux.org Sun Sep 02 01:03:48 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 5973 invoked from network); 2 Sep 2007 01:03:47 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 2 Sep 2007 01:03:47 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 5939 invoked by uid 107); 2 Sep 2007 01:03:45 -0000 Received: from mout.perfora.net (HELO mout.perfora.net) (74.208.4.194) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 21:03:45 -0400 Received: from pool-141-158-50-209.phil.east.verizon.net [141.158.50.209] (helo=[192.168.0.240]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis), id 0MKp8S-1IRdsH30xT-0008IL; Sat, 01 Sep 2007 21:03:39 -0400 From: Antony P Joseph To: plug@lists.phillylinux.org Content-Type: text/plain Date: Sat, 01 Sep 2007 21:02:06 -0400 Message-Id: <1188694926.29427.6.camel@nathan.myhome.westell.com> Mime-Version: 1.0 X-Mailer: Evolution 2.10.1 Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX18y4CpW1WR2DmqRuWGPX66iEkzo6zFwQn2BEP2 RBq22qaLp8nCStpuNzSZm6HkwBryhIDZgkoDEPa4MDPhd+jcXA 6moQ0yUw7Hq0JgpwggUhc4LmRzXYiJj Subject: [PLUG] honeypot X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org Hi I have to set up a "Honeypot" for my company . Which is the best Linux distribution I can use. What are the FOSS tools available? Is there any commercial "Honeypot" available? With regards Antony ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Sun Sep 02 01:15:11 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 7443 invoked from network); 2 Sep 2007 01:15:08 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 2 Sep 2007 01:15:08 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 7383 invoked by uid 107); 2 Sep 2007 01:15:05 -0000 Received: from rcmdvxcm3-ob1.cavtel.net (HELO rcmdvxcm3-ob1.cavtel.net) (64.83.1.88) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 21:15:05 -0400 Received: from lucii.dnsalias.org (static-67-62-105-63.dsl.cavtel.net [67.62.105.63]) by rcmdvxcm3-ob1.cavtel.net (Postfix) with SMTP id 489DD4B222 for ; Sat, 1 Sep 2007 21:14:23 -0400 (EDT) Received: (qmail 16077 invoked by uid 453); 2 Sep 2007 01:15:01 -0000 Received: from ursa.lucii.dnsalias.org (HELO [192.168.1.2]) (192.168.1.2) by lucii.dnsalias.org (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 21:15:01 -0400 Message-ID: <46DA0ED7.6010305@lucii.org> Date: Sat, 01 Sep 2007 21:16:07 -0400 From: Eric User-Agent: Thunderbird 1.5.0.12 (X11/20060911) MIME-Version: 1.0 To: Philadelphia Linux User's Group Discussion List Subject: Re: [PLUG] honeypot References: <1188694926.29427.6.camel@nathan.myhome.westell.com> In-Reply-To: <1188694926.29427.6.camel@nathan.myhome.westell.com> X-Enigmail-Version: 0.94.2.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org Antony P Joseph wrote: > Hi > > I have to set up a "Honeypot" for my company . Which is the best > Linux distribution I can use. What are the FOSS tools available? Is > there any commercial "Honeypot" available? > > With regards > Antony Did you start at: http://www.honeynet.org/ ?? Eric ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Sun Sep 02 02:26:25 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 15329 invoked from network); 2 Sep 2007 02:26:22 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 2 Sep 2007 02:26:22 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 15291 invoked by uid 107); 2 Sep 2007 02:26:17 -0000 Received: from mout.perfora.net (HELO mout.perfora.net) (74.208.4.194) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sat, 01 Sep 2007 22:26:17 -0400 Received: from pool-151-197-237-124.phil.east.verizon.net [151.197.237.124] (helo=[192.168.0.240]) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis), id 0MKpCa-1IRfAB3z68-0007OF; Sat, 01 Sep 2007 22:26:13 -0400 Subject: Re: [PLUG] honeypot From: Antony P Joseph To: Philadelphia Linux User's Group Discussion List In-Reply-To: <46DA0ED7.6010305@lucii.org> References: <1188694926.29427.6.camel@nathan.myhome.westell.com> <46DA0ED7.6010305@lucii.org> Content-Type: text/plain Date: Sat, 01 Sep 2007 22:24:36 -0400 Message-Id: <1188699878.29427.9.camel@nathan.myhome.westell.com> Mime-Version: 1.0 X-Mailer: Evolution 2.10.1 Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX1/rQ5YA0yNvFUScBXgq7iXU/TPyxDgdjibG3Yk vb7GGULX0x9bxIkcgdx8jaIF6cyg+P55UdbnHMIN3nM/uccTQM 3bupEN0VcYfNGnZb9r+ZtZOfjGy24A1 X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org Hi I thought you were going to say "did you do google first?" Sorry I did not. My mistake. With regards Antony On Sat, 2007-09-01 at 21:16 -0400, Eric wrote: > Antony P Joseph wrote: > > Hi > > > > I have to set up a "Honeypot" for my company . Which is the best > > Linux distribution I can use. What are the FOSS tools available? Is > > there any commercial "Honeypot" available? > > > > With regards > > Antony > > Did you start at: http://www.honeynet.org/ ?? > > > Eric > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Sun Sep 02 18:42:38 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 15469 invoked from network); 2 Sep 2007 18:42:38 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 2 Sep 2007 18:42:38 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 15435 invoked by uid 107); 2 Sep 2007 18:42:34 -0000 Received: from mout.perfora.net (HELO mout.perfora.net) (74.208.4.195) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Sun, 02 Sep 2007 14:42:34 -0400 Received: from pool-151-197-237-124.phil.east.verizon.net [151.197.237.124] (helo=[192.168.0.240]) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis), id 0MKpCa-1IRuOl3Jwa-0007I1; Sun, 02 Sep 2007 14:42:21 -0400 Subject: Re: [PLUG] iptables masquerading, port blocking and port forwarding From: Antony P Joseph To: Philadelphia Linux User's Group Discussion List In-Reply-To: <527986330708311833o1fedfeep39392048e8c7fa0f@mail.gmail.com> References: <527986330708311833o1fedfeep39392048e8c7fa0f@mail.gmail.com> Content-Type: text/plain Date: Sun, 02 Sep 2007 14:40:36 -0400 Message-Id: <1188758437.29427.23.camel@nathan.myhome.westell.com> Mime-Version: 1.0 X-Mailer: Evolution 2.10.1 Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX1+RgoFiMMKi5K0hqXtuGQhiaHXRCOKVMfMyd6R Fn9n+/geri3Vlwe/fpqDssm4YMDKRZUNuIDAZvjdk5O9eBsgey doE1qaMx+m1CZGBnaYQp1roj6psY63T X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org HI > I want to run Jetty on port 80 instead of apache httpd but don't want > it to run as root. doesn't Jetty support "bind port 80; setuid(no-root-user); accept on port 80" sequence? If Jetty can not do this sequence, I do not think you should run Jetty and look for another webserver suited to you > > $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 -j DNAT > --to 192.168.1.2:7070 Is the IP address rewritten with your machine's IP address when DNAT is taking place? Is not it possible for you to add an accept rule using the previous question if the answer is true. With regards Antony ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug From plug-bounces@lists.phillylinux.org Tue Sep 04 17:27:32 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 12591 invoked from network); 4 Sep 2007 17:27:32 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 4 Sep 2007 17:27:32 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 12544 invoked by uid 107); 4 Sep 2007 17:27:27 -0000 Received: from mx0.hxti.com (HELO mx0.hxti.com) (216.203.4.133) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Tue, 04 Sep 2007 13:27:27 -0400 Received: from mx0.hxti.com (localhost.localdomain [127.0.0.1]) by mx0.hxti.com (8.13.1/8.13.1) with ESMTP id l84HRCgt025408 for ; Tue, 4 Sep 2007 13:27:13 -0400 Date: Tue, 4 Sep 2007 13:27:12 -0400 From: "Mark Baker" To: plug Message-ID: x-scalix-Hops: 1 MIME-Version: 1.0 X-Spam-Status: No, score=-4.3 required=5.0 tests=ALL_TRUSTED,BAYES_00, HTML_90_100,HTML_MESSAGE autolearn=ham version=3.1.9 X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on mx0.hxti.com Subject: [PLUG] Network based RAM X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0418191537==" Mime-version: 1.0 Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org --===============0418191537== Content-Type: multipart/alternative; boundary="2_0_45_37f888MHTML_=_01" --2_0_45_37f888MHTML_=_01 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Looks like windows vista may be moving towards network shared RAM: =20 http://arstechnica.com/journals/microsoft.ars/2006/5/25/4115 =20 I would love to see something like this in Linux. =20 Mark =20 --2_0_45_37f888MHTML_=_01 Content-Type: text/html Content-Transfer-Encoding: quoted-printable Content-Disposition: inline

Looks like windows vista may be movin= g towards network shared RAM:

 

htt= p://arstechnica.com/journals/microsoft.ars/2006/5/25/4115<= /span>

 

I would love to see something like th= is in Linux.

 

Mark

 

--2_0_45_37f888MHTML_=_01-- --===============0418191537== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug --===============0418191537==-- From plug-bounces@lists.phillylinux.org Tue Sep 04 17:37:15 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 15454 invoked from network); 4 Sep 2007 17:37:13 -0000 Received: from unknown (HELO ellesmere.netisland.net) (127.0.0.1) by localhost with SMTP; 4 Sep 2007 17:37:13 -0000 Return-Path: Delivered-To: alias-plug@lists.phillylinux.org Received: (qmail 15393 invoked by uid 107); 4 Sep 2007 17:37:10 -0000 Received: from nf-out-0910.google.com (HELO nf-out-0910.google.com) (64.233.182.187) by qpsmtpd.netisland.net (qpsmtpd/0.32) with ESMTP; Tue, 04 Sep 2007 13:37:10 -0400 Received: by nf-out-0910.google.com with SMTP id 4so1817423nfv for ; Tue, 04 Sep 2007 10:37:08 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=TCIPBBBM7fDXlW5yopVKHWWc4IenSHvCzSOY8ZyzDjJYXis6WM10njTg7nBhBQFZCSGChV1keXhVNZhnQHrNN4NkQwV/NDf7I2ZY1HDeky+Fbabg5lyrybyjw6nsBhhe3eRvjGwiEFnuEirzR11Xf6kc9BksSrkJryss3OZ7DAM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=dKSJrvkrCmmcjf19tHyOsDP8d9012yg4iw7SjgR9HRtTJ9cwkAVdbiQIFOSYmeaeJ9mui9qyQNjeaW5oXuULzwaRHh3tSTmnY5FLNkE/TRWpd6qm4JQcO95HEnSDohnTlsHSvdYAN2gqif9zwc6et7dRFL5KINKo6yrS72UqG2Y= Received: by 10.86.89.4 with SMTP id m4mr4461789fgb.1188927428558; Tue, 04 Sep 2007 10:37:08 -0700 (PDT) Received: by 10.86.92.9 with HTTP; Tue, 4 Sep 2007 10:37:08 -0700 (PDT) Message-ID: <27c114eb0709041037x14236437q86b72fd8577bf18e@mail.gmail.com> Date: Tue, 4 Sep 2007 13:37:08 -0400 From: "Brent Saner" To: "Philadelphia Linux User's Group Discussion List" Subject: Re: [PLUG] Network based RAM In-Reply-To: MIME-Version: 1.0 References: X-BeenThere: plug@lists.phillylinux.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Philadelphia Linux User's Group Discussion List List-Id: Philadelphia Linux User's Group Discussion List List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: multipart/mixed; boundary="===============0139782082==" Mime-version: 1.0 Sender: plug-bounces@lists.phillylinux.org Errors-To: plug-bounces@lists.phillylinux.org --===============0139782082== Content-Type: multipart/alternative; boundary="----=_Part_14361_1499924.1188927428542" ------=_Part_14361_1499924.1188927428542 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline please read the comments- it's not as neat as it sounds. generally, it seems that vista is just seeing the flash as swap area (and this is something linux has been able to do for a very long time. ;) On 9/4/07, Mark Baker wrote: > > Looks like windows vista may be moving towards network shared RAM: > > > > http://arstechnica.com/journals/microsoft.ars/2006/5/25/4115 > > > > I would love to see something like this in Linux. > > > > Mark > > > > > ___________________________________________________________________________ > Philadelphia Linux Users Group -- > http://www.phillylinux.org > Announcements - > http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- > http://lists.phillylinux.org/mailman/listinfo/plug > > -- Brent Saner 215.264.0112(cell) 215.362.7696(residence) http://www.thenotebookarmy.org ------=_Part_14361_1499924.1188927428542 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline please read the comments- it's not as neat as it sounds. generally, it seems that vista is just seeing the flash as swap area (and this is something linux has been able to do for a very long time. ;)

On 9/4/07, Mark Baker <mark.baker@hxti.com> wrote:

Looks like windows vista may be moving towards network shared RAM:

 

http://arstechnica.com/journals/microsoft.ars/2006/5/25/4115

 

I would love to see something like this in Linux.

 

Mark

 


___________________________________________________________________________
Philadelphia Linux Users Group         --         http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug




--
Brent Saner
215.264.0112(cell)
215.362.7696(residence)

http://www.thenotebookarmy.org ------=_Part_14361_1499924.1188927428542-- --===============0139782082== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug --===============0139782082==-- From plug-bounces@lists.phillylinux.org Tue Sep 04 17:37:25 2007 Return-Path: Delivered-To: historian@netisland.net Received: (qmail 15497 invoked from network); 4