Stephen Gran on 1 Sep 2007 23:42:05 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] shell script help...


On Sat, Sep 01, 2007 at 06:24:55PM -0400, Mag Gam said:
> Management want to see who does or tries to do anything malicious.
> They want to see users' shell activity.

Given that management rarely know what they want or how they want to
implement it, perhaps you want to think outside the task they've given
you?  Maybe the simplest would be to implement selinux, and restrict
what users can actually do?  selinux can be configured to log attempts
to do restricted things.

Maybe you just want to use acct to give management a warm fuzzy feeling
that you know all the commands users have run, even though it isn't
useful as a prevention measure?  The entire idea of logging sessions
sounds like a way to point fingers after the fact, rather than a real
security measure or even a deterrent.

Given the many ways that there are for a determined person to try and
bypass the usual naive methods of capturing user activity, it does at
least occur to me that the only reliable way to do this is at a lower
level than the shell, and you'll want to look into kernel level auditing
(or better, prevention).

Good luck,
-- 
 --------------------------------------------------------------------------
|  Stephen Gran                  | Bathquake, n.:  The violent quake that  |
|  steve@lobefin.net             | rattles the entire house when the water |
|  http://www.lobefin.net/~steve | faucet is turned on to a certain point. |
|                                | -- Rich Hall, "Sniglets"                |
 --------------------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug