Re: How to log all commands?

From: Dragan Cvetkovic (me_at_privacy.net)
Date: 05/30/05 

Date: Mon, 30 May 2005 15:48:55 -0400

Davide Bianchi <davideyeahsure@onlyforfun.net> writes:

> On 2005-05-30, Dragan Cvetkovic <me@privacy.net> wrote:
>> How would you logging all commands help if user writes a script and/or
>> programs to do what they are not allowed to do.
>
> If they are not allowed, then the program shouldn't be executable by
> them, so, unless they can escalate their privileges, the problem doesn't
> exists,

If they can execute nmap (OP's example), why should they not be able to run
other programs?

> for the rest, this where process accounting came into play, even
> if a program is started by a script, so not directly by typing the
> program name at the command line, the program is still run under the
> user's account.

True, but unless you peform some form of strace/truss/trace/..., what can
you prove about e.g. the following C program (fairly simplified):

#include <unistd.h>

int main()
{
        DIR *dirp;
        struct dirent *dp;

        dirp =opendir(".");
        while (dp = readdir(dirp))
              remove(dp->d_name);

        closedir(dirp);
        return 0;
}
        
Sure, you can suspect something if there is activity of calling vi,
compiling program, running it and removing it, but you can't really prove
that.

On the other hand, if users don't have enough privilegies to run arbitrary
programs and/or compile them, there is no point in logging their activity.

Dragan 

-- 
Dragan Cvetkovic, 
To be or not to be is true. G. Boole      No it isn't.  L. E. J. Brouwer
!!! Sender/From address is bogus. Use reply-to one !!!

Relevant Pages

  • Re: Some credible documented evidence that a MVS or later op sys has ever been hacked
    ... > of escalation of privileges. ... machine in particular that it was impossible to execute code that had been ... of comprehension of JES and JES exits and the available LOTUS and maybe some ... I mean the basic virus attacks that are hitting MS are VBSCRIPTS, ...
    (bit.listserv.ibm-main)
  • Re: DEFCON 16 and Hacking OpenVMS
    ... the payload of the exploit in process-permanent memory accessible to ... The bug seems to be the ability to execute code from arbitrary locations ... What I don't understand is do both the Finger bug and the 511-byte DCL ... I don't understand how you gain privileges by typing something ...
    (comp.os.vms)
  • Re: SEPKILL /im SMC.EXE /f
    ... ::Save the following as a batch file and execute it. ... can't reproduce on my test systems or requires administrator privileges ...
    (Bugtraq)
  • Re: Mac OS X hacked under 30 minutes
    ... the same technique to elevate their priviliges and execute as root. ... winner of this competition used to elevate its privileges to root. ... assuming the report is accurate in saying the hacker exploited a ... then any code executed by a regular user can use ...
    (comp.sys.mac.advocacy)
  • Re: Execute DTS Package from non-privileged VB Client
    ... the user having sysadmin privileges? ... the package will execute on the users machine under the users security context, so they will need rights perform the actions inside the package. ... They may also need the public role in msdb, which all users get by default, to load the package if stored in SQL Server. ... It may be better to devise an alternative process which means the job is executed on the server, which hopefully means another more privileged security context Perhaps it can be scheduled? ...
    (microsoft.public.sqlserver.dts)