Acceptable Limits for Security Scanning.
We are having some dialog on Security Scanning that is proposed for our
Internet site, and it would be helpful to get opinions from other
Here is our situation...we are a school district that has given out about
1400 shell accounts to teachers and employees over the last three years on
our own Server at no cost to the users. Due to some very lame security
decisions in our early days, we have quite a number of hackers (Crackers)
who very easily moved into our system. I've caught 22 of them in the last
year, usually when then did something obvious and dumb when I happened to
be looking. (I have a "w" command setup to auto run on my logons).
For security reasons, we do NOT allow .rhosts files. Our admin agrees to
not allow these but won't shut down the rlogon processes. So, I set up a
crontab job to search for .rhost files every noght, to remove them if it
finds them, and to e-mail me the contents. (Finding "+ +" is how we found
a number of the hackers.)
Some of us would like to expand this nightly "Security Scan" to do a
"find" on files like "WaReZ", "[Cc]rack", "passwd", and other Cracker
file names. Some people even would like to search for "playmate*" and
such files since the Server is school district property.
The question then is "Is this acceptable Security Scanning or an invasion
of the users' privacy?". We exclude all of the e-mail files from the
scanning and we don't look inside any files. Of course, smarter people
will just change the names of their Cracker files, but we hope to catch
them before they catch on. If this Scanning is acceptable, how much
notification is necessary to the users?