by JoJo » Thu, 26 Apr 2001 10:33:42
by Chronos Tachyo » Thu, 26 Apr 2001 11:53:10
By virtue of the fact that the shell is running under the identity of theQuote:> I want to know if theres a way of getting all the stuff that user does on
> the shell logged to a file which he/she cant access nor delete. something
> like .bash_history just inaccessible to a user.
(1) You've modified the shell so that the user cannot turn off or redirect
the shell history file. Under unpatched bash, turning history off is as
simple as "unset HISTFILE".
(2) The file ~user/.bash_history (or whichever) is either a pipe (ick) or a
file sitting on ext2 marked as append-only with chattr +a. Only the
superuser can modify the ext2 special bits, and it's not permitted to
delete or overwrite an append-only file. However, this only works under
Linux and only if the /home partition is ext2.
(3) The user cannot change his/her shell to a different program.
(4) The user isn't smart enough to compile his/her own copy of bash (or any
other shell program), install it with prefix ~user, then alter his/her
~/.bash_login to do an "exec ~/bin/bash".
The only way to do this in a way that is guaranteed undefeatable by
non-root users is to perform some sort of kernel-level auditing on calls to
the sys_execve function.
--
Chronos Tachyon
Guardian of Eristic Paraphernalia
Gatekeeper of the Region of Thud
[Reply instructions: My real domain is "echo <address> | cut -d. -f6,7"]
by <elle.. » Thu, 26 Apr 2001 22:46:52
Actually, they cannot set the A attribute. Regular users can set/unsetQuote:> (2) The file ~user/.bash_history (or whichever) is either a pipe (ick) or a
> file sitting on ext2 marked as append-only with chattr +a. Only the
> superuser can modify the ext2 special bits, and it's not permitted to
> delete or overwrite an append-only file. However, this only works under
> Linux and only if the /home partition is ext2.
Which includes the inability to use the shell escape feature of anyQuote:> (3) The user cannot change his/her shell to a different program.
It also precludes installing anything written in an interpreted
language. Otherwise, the user can run the interpreter as a "shell"
executing commands that way.
Yes, which precludes installing a compiler in addition to an interpreter.Quote:> (4) The user isn't smart enough to compile his/her own copy of bash (or any
> other shell program), install it with prefix ~user, then alter his/her
> ~/.bash_login to do an "exec ~/bin/bash".
You actually need to do a bit more than that, but I'm sure there's aQuote:> The only way to do this in a way that is guaranteed undefeatable by
> non-root users is to perform some sort of kernel-level auditing on calls to
> the sys_execve function.
Of course, one problem is you'd have to know what you're
accounting. If you let users build software in their home directory,
you'll never really know what they're running without looking. There's
nothing to keep a really determined user from calling his software
"gimp" or worse, puttting his binary inside the gimp source tree
masquerading as a fresh-built gimp.
--
by Chronos Tachyo » Thu, 26 Apr 2001 23:06:59
[Snip]
Oops, you're right, I checked chattr(1) and the only root-only attributesQuote:>> (2) The file ~user/.bash_history (or whichever) is either a pipe (ick) or
>> a
>> file sitting on ext2 marked as append-only with chattr +a. Only the
>> superuser can modify the ext2 special bits, and it's not permitted to
>> delete or overwrite an append-only file. However, this only works under
>> Linux and only if the /home partition is ext2.
> Actually, they cannot set the A attribute. Regular users can set/unset
> some others, such as S.
--
Chronos Tachyon
Guardian of Eristic Paraphernalia
Gatekeeper of the Region of Thud
[Reply instructions: My real domain is "echo <address> | cut -d. -f6,7"]
1. logging user's activity via history feature...
hi all,
i am in the need of tracking all my users activities.
i've implemented accounting (acct) but i found that the logs from
accounting is not enough, it just shows what command was executed but
not together with their options.
for example, if i executed "vi /etc/hosts", lastcomm wil just show "vi"
and we don't know what file was opened.
we have "sudo" in place and sudo's log is perfect but the problem is,
sudo will only logs commands we've told in sudo config files and
executed
using sudo.
So,i am thinking of logging my user's commands using shell history
feature to
a directory that is unwritable by them.
but how do we do this.
since i'm using BASH i went thgrough the manual and found the "HISTFILE"
variable.
but, how do we tell bash to change the history file to somewhere which
is
only writable to sysadmin.
And how do we do that for each user ? (the default is using "~").
my /etc/profile is as below :
# cat /etc/profile
set HISTFILE /var/log/BASH/$ID
#
with the above, system will still create the .bash_history inside
~/.bash_history
Or, is there other workaround to this ? or perhaps with other shell ?
any help is greatly appreciated.
thanks,
--fg
2. Problems with XFree 3.1.2B and ATI Xpression
3. Need HELP to Log User Log-ins form the internet
4. Hylafax faxgetty parameters?
5. User logging (WAS: Is it possible to log original IP addresses?)
6. Wanted -- scripts for ispell & elm with nn
7. How to log user as they log in
9. Apache- Multiple logs (log for each user Q:How do I?)
10. How to log user access info in access.log
11. Q-> logging user names as they log in
12. apache transfer log - how do i make it not log users from inside the network?
13. Logging user submitted processes to a log file