Re: login session transcript

• Previous message: Kelly Martin: "SF new column announcement: Open Source Versus Closed Source Security"
• In reply to: Jonathan C. Detert: "login session transcript"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 30 Sep 2004 15:58:14 -0400 (EDT)
To: "Jonathan C. Detert" <detertj@msoe.edu>

I think you are pretty much screwed if you want to give someone root
access and effectively track the user without him knowing. If you use
sudo then you are letting him know you are tracking him; any unauthorized
action is usually log'd with sudo. If you are giving him root priviledge
you are letting him do *whatever* he wants to do. You may want to
consider having him login with root's priviledges into a chroot
environment. If you can have the log kept outside of the chroot
environment you may be able to mask the file from him (assuming he doesn't
detect the logging mechanism).

I think the previous reply involving sudo is your best bet. I would
personally want to know what all is going to be muck'd with and be sure
that the user is qualified to work on the system. Sure, you are losing
the element of surprise, but you are gaining confidence in other areas.
Not to mention the knowledge of big brother could be enough to fend off
any unscrupilous behavior. In case you have not used sudo before, be
sure not to give root priv. to programs like vi. I do not mean text
editors :). I mean programs that give shell access. You just type
":shell" in vi as root and you conjure up a new environment with which
you have god'esque powers.

Zach Shay

On Tue, 28 Sep 2004, Jonathan C. Detert wrote:

> Hello,
>
> I need to give a vendor shell access to a freeBSD system I run,
> and worse yet, I need to give them root access.
> I want to know everything the vendor does while logged in.
>
> I'm thinking of making the vendor's login shell be
>
> 'script -q -a <somefilename>'
>
> but :
>
> a) i don't want the vendor to be able to delete the logfile
>
> b) it would be nice if the vendor wouldn't know his activity was being
> logged
>
> Does anyone have a better suggestion for me than to use script?
> Does anyone have an idea how to address points a) and b) ?
>
> Thanks
> --
> Happy Landings,
>
> Jon Detert
> IT Systems Administrator, Milwaukee School of Engineering
> 1025 N. Broadway, Milwaukee, Wisconsin 53202
>

• Previous message: Kelly Martin: "SF new column announcement: Open Source Versus Closed Source Security"
• In reply to: Jonathan C. Detert: "login session transcript"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Card Reader ... Running your script ... instead of sudo is worthless because your script *can't do ... And of course it doesn't ask for a root password, ... >> That's just more bullshit Bryan, and you might as well leave ... (rec.photo.digital) Re: hi all.. ... And with sudo, I certainly wouldn't because they already have root. ... If you somehow had access to my account right now, ... install an effective key logger without root. ... (Fedora) Re: hi all.. ... compromise security to achieve it - such as very insecure sudo defaults ... that essentially make any admin group user password a root password. ... IE someone gets your user account password, they can do more than just ... (Fedora) Re: Choosing a distribution ... 'sudo bash' where I haven't had a proper root account to work with. ... cracked and hence give the intruder root access. ... (Ubuntu) Re: Easy way/script to add another user like me? ... have to do to give a user sudo privileges is to add them to the ... # Members of the admin group may gain root privileges ... of cracking the root password because they already know the ... (Ubuntu)