Re: How to log all commands?
From: Nekromancer (foo_at_bar.org)
Date: 05/31/05
- Previous message: Martin Vaeth: "Re: How to log all commands?"
- In reply to: Dragan Cvetkovic: "Re: How to log all commands?"
- Next in thread: faeychild: "Re: How to log all commands?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 30 May 2005 22:07:08 GMT
Dragan Cvetkovic <me@privacy.net> wrote in
news:lmekboebq0.fsf@privacy.net:
> If they can execute nmap (OP's example), why should they not be able
> to run other programs?
>
I'm really sorry I can't be more specific, because that would have helped
to avoid discussion.
The users will be able to run several potentially dangerous tools (like
nmap), but NOTHING ELSE. Not in that box, at least.
The output of the tools will be automatically transferred as inocuos .txt
files to the office environment for processing.
The main point is that in the "front" of dangerous machines restriction
will be heavy, and I want the logs of all commands.
It's highly unlikely (well, it'll be forbidden) that the users will be able
to use powerful editors like vi (that has built-in command execution), gcc,
etc. Everything under their directories will be 100% noexec. root will be
heavily restricted via LIDS.
I can avoid the use of other shells by having only bash, if required.
PROBABLY (still under discussion) I'll implement the commands using sudo,
to have logging on that side at least.
Cheers,
Mike
- Previous message: Martin Vaeth: "Re: How to log all commands?"
- In reply to: Dragan Cvetkovic: "Re: How to log all commands?"
- Next in thread: faeychild: "Re: How to log all commands?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
