Very Computer

I am new to system administration (I changed careers after 10 years on the
same job) and; therefore, don't know most of the UNIX guru tricks.  Here's
my problem: we recently hired a coop student to do a variety of tasks
including some programming assignments.  After just a few days on the job
I realized he was trying to modify files (passwd, aliases, etc.) he
shouldn't be trying to modify and he has been trying to gain root access.
I have been trying to monitor his activities by viewing his .sh_history
file, looking in log files, etc.  However, he knows I have been checking
up on him and he is good at covering up his tracks.  One thing I realized
he has been doing is switching from ksh, his initial shell, to csh.  This
makes it difficult to know what he has been doing.  Any suggestions for
keeping a better eye on this guy?  Thanks for any help.

Leo Crombach

: I am new to system administration (I changed careers after 10 years on the
: same job) and; therefore, don't know most of the UNIX guru tricks.  Here's
: my problem: we recently hired a coop student to do a variety of tasks
: including some programming assignments.  After just a few days on the job
: I realized he was trying to modify files (passwd, aliases, etc.) he
: shouldn't be trying to modify and he has been trying to gain root access.
: I have been trying to monitor his activities by viewing his .sh_history
: file, looking in log files, etc.  However, he knows I have been checking
: up on him and he is good at covering up his tracks.  One thing I realized
: he has been doing is switching from ksh, his initial shell, to csh.  This
: makes it difficult to know what he has been doing.  Any suggestions for
: keeping a better eye on this guy?  Thanks for any help.

: Leo Crombach

Pardon me for asking, but why don't you put a * in the second field in
/etc/passwd file on the line with his name on it.  When he complains
that he can't login, you can give him a stiff warning.  I wouldn't
tolerate it.  After all, the integrity of the system is your responsibility.
Of course, I'm not even a sysadmin, so what do I know?  

Harry
--
/***************************************
   Harry Mason

   http://www.cs.usm.maine.edu/~mason
 ***************************************/

Try the direct approach.  Many times just letting them know your onto them, if
in fact there is a reason to be on to them, will resolve the problem.  I try
to give them the benefit of the doubt first, ask lots of questions and give the
impression that you want to help him do his work.

I would suggest a Mr. GoodGuy approach first to uncover what is going on.  
Ask him what he  is doing that requires root access.   Find out what accounts he
has created or modified in your /etc/passwd and /etc/aliases file then ask him
 why he did it. This really gets them, ask him if you can help him setup what
 ever it is he's trying to do.  If he's a hacker he'll think your incompetent and
then begin to really hack things and give you the ammo to press charges.

Do you have a "Security Notice" that is displayed at login?  Something that
states authorized access only in your /etc/motd.

Could be you have a overly stupid student on your hands that just needs to
understand your role as sysadmin.  As sysadmin its your *on the line if

I've found that they usualy have a good reason for trying to fix it themselfs.
If not then remove him ASAP and have a talk with his boss.  If your his boss
a good slap on the hands and getting sent home without pay for a day will usualy
bring a young mind back into reality.  

Check out the security info at CERT, in particular make sure there is only
one account in your /etc/passwd file with UID 0.  If this guy has hacked another
login acount with UID 0 then its time to be Mr. BadGuy and kick his *outa there.

--

Digital Publishing Inc.          Kirkland, Washington

(Web/Internet Site/Presents, 4-color Pre-Press, Animation/3D/VR)