[SunHELP] Root Passwd
Lund, Dennis
sunhelp at sunhelp.org
Fri Jun 22 10:44:52 CDT 2001
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C0FB32.47416AE0
Content-Type: text/plain;
charset="iso-8859-1"
This script works great when the user logs in remotely to the system. You
may have
problems with users logging in through CDE login GUI.
The script command does not write anything to the log until it is
terminated. It then
writes everything to the log file. The user has to "exit" twice to log off
(once to stop
the "script" command and the second to actually log off).
You may need to modify it some for your system.
Dennis L. Lund
-----Original Message-----
From: Lund, Dennis [mailto:Dennis.Lund at sciatl.com]
Sent: Friday, June 22, 2001 10:56 AM
To: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Root Passwd
One way to find out what the user is up to would be to write a script like
this:
#!/bin/ksh
#
# This script is intended to log user command line activities.
# It will start the "script" command when a user opens a command terminal
# or xterm and log all commands that are typed in that window.
#
DATE=`date '+%m%d%y%H%M%n'`
UACCNT=`who -m | awk '{print $1}'`
PORTNUM=`who -m | awk '{print $2}' | cut -c1,2,3,5,6`
print $PORTNUM
FRHOST=`who -m | grep -v grep | grep <username> | cut -c39-59 | sed s/\)//`
LOG1=/var/adm/.script_log
print "Log in from:" > $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
/usr/bin/who -m >> $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
print "\n" >> $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
/usr/bin/script -a $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
Add a line to the end of the users .profile and the script will log
everything the use does
to the log file. Try to hide the log file to make it more difficult for the
user to find it. You can
even have it log to a remote machine.
You can modify this script to alert you as soon as the user logs in so you
can
tail the log file if you wish.
Dennis L. Lund
-----Original Message-----
From: Lund, Dennis [mailto:Dennis.Lund at sciatl.com]
Sent: Friday, June 22, 2001 8:58 AM
To: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Root Passwd
I would have to agree with this 100%. If the person is not
cooperating, take it to management. A breach of security like
this is totally unacceptable.
Dennis L. Lund
-----Original Message-----
From: Przyjazny, Martin [ mailto:martin.przyjazny at eds.com
<mailto:martin.przyjazny at eds.com> ]
Sent: 21 June 2001 14:11
To: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Root Passwd
Or instead of perpetuating the non-cooperative spirit,
talk to him frankly, and involve management.
The sysadmin IS management.
>From a sysadmin point of view there are limits to what a user is and isn't
allowed to do.
DIY privilege elevation is strictly on the "DO NOT" list. The user has
already proved to be
uncooperative by not handing over the script/binary.
In most organisations such behaviour warrants disciplinary action. If one of
your users compromises a system that you run what would your reaction be? A
polite, "please don't do that", isn't what's in the books. I think most
admins would use, "You're fired!"
I may sound harsh but I don't think I'm being unreasonable.
MetaPack
The Lightwell
12/16 Laystall Street
Clerkenwell
London EC1R 4PF
Tel: +44 (0) 20 7843 6720
Fax: +44 (0) 20 7843 6721
--------------------------------------------------------------------------
This email is confidential and proprietary;
all information contained in it must be used only by the addressee in
accordance with MetaPack's terms of business and non-disclosure agreement.
Disclosure, copying, and distribution to, or use by, anyone other than the
intended recipient is strictly prohibited and may be unlawful.
_______________________________________________
SunHELP maillist - SunHELP at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/sunhelp
<http://www.sunhelp.org/mailman/listinfo/sunhelp>
- - - - - - - Appended by Scientific-Atlanta, Inc. - - - - - - -
EN-US; mso-bidi-language: AR-SA; BR>: 'Times New Roman'">This e-mail and any
attachments may contain information which is confidential, proprietary,
privileged or otherwise protected by law. The information is solely intended
for the named addressee (or a person responsible for delivering it to the
addressee). If you are not the intended recipient of this message, you are
not authorized to read, print, retain, copy or disseminate this message or
any part of it. If you have received this e-mail in error, please notify the
sender immediately by return e-mail and delete it from your computer.
------_=_NextPart_001_01C0FB32.47416AE0
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>RE: [SunHELP] Root Passwd</TITLE>
<META content="MSHTML 5.00.2920.0" name=GENERATOR></HEAD>
<BODY>
<DIV><FONT color=#0000ff face=Arial><SPAN class=991522415-22062001>This script
works great when the user logs in remotely to the system. You may
have</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN class=991522415-22062001>problems with
users logging in through CDE login GUI.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN
class=991522415-22062001></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN class=991522415-22062001>The script
command does not write anything to the log until it is terminated. It
then</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN class=991522415-22062001>writes
everything to the log file. The user has to "exit" twice to log off (once
to stop</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN class=991522415-22062001>the "script"
command and the second to actually log off).</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN
class=991522415-22062001></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN class=991522415-22062001>You may need
to modify it some for your system.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN
class=991522415-22062001></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN class=991522415-22062001>Dennis L.
Lund</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN
class=991522415-22062001></SPAN></FONT> </DIV>
<BLOCKQUOTE style="MARGIN-RIGHT: 0px">
<DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Lund, Dennis
[mailto:Dennis.Lund at sciatl.com]<BR><B>Sent:</B> Friday, June 22, 2001 10:56
AM<BR><B>To:</B> 'sunhelp at sunhelp.org'<BR><B>Subject:</B> RE: [SunHELP] Root
Passwd<BR><BR></DIV></FONT>
<DIV><FONT color=#0000ff face=Arial><SPAN class=846153614-22062001>One way to
find out what the user is up to would be to write a script like
this:</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN
class=846153614-22062001></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN
class=846153614-22062001>#!/bin/ksh<BR>#<BR># This script is intended to log
user command line activities.<BR># It will start the "script" command when a
user opens a command terminal<BR># or xterm and log all commands that are
typed in that window.<BR>#<BR>DATE=`date '+%m%d%y%H%M%n'`<BR>UACCNT=`who -m |
awk '{print $1}'`<BR>PORTNUM=`who -m | awk '{print $2}' | cut
-c1,2,3,5,6`<BR>print $PORTNUM<BR>FRHOST=`who -m | grep -v grep | grep
<username> | cut -c39-59 | sed
s/\)//`<BR>LOG1=/var/adm/.script_log</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN
class=846153614-22062001></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN class=846153614-22062001>print "Log
in from:" > $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE<BR>/usr/bin/who -m
>> $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE<BR>print "\n" >>
$LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE</SPAN></FONT></DIV>
<DIV> </DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN
class=846153614-22062001>/usr/bin/script -a
$LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN
class=846153614-22062001></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN class=846153614-22062001>Add a line
to the end of the users .profile and the script will log everything the use
does</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN class=846153614-22062001>to the log
file. Try to hide the log file to make it more difficult for the user to
find it. You can</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN class=846153614-22062001>even have
it log to a remote machine.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN
class=846153614-22062001></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN class=846153614-22062001>You can
modify this script to alert you as soon as the user logs in so you
can</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN class=846153614-22062001>tail the
log file if you wish.</SPAN></FONT></DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN
class=846153614-22062001></SPAN></FONT> </DIV>
<DIV><FONT color=#0000ff face=Arial><SPAN class=846153614-22062001>Dennis L.
Lund</SPAN></FONT></DIV>
<BLOCKQUOTE>
<DIV align=left class=OutlookMessageHeader dir=ltr><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> Lund, Dennis
[mailto:Dennis.Lund at sciatl.com]<BR><B>Sent:</B> Friday, June 22, 2001 8:58
AM<BR><B>To:</B> 'sunhelp at sunhelp.org'<BR><B>Subject:</B> RE: [SunHELP] Root
Passwd<BR><BR></DIV></FONT><BR><BR>
<P><FONT size=2>I would have to agree with this 100%. If the person is
not </FONT><BR><FONT size=2>cooperating, take it to management. A
breach of security like</FONT> <BR><FONT size=2>this is totally
unacceptable.</FONT> </P>
<P><FONT size=2>Dennis L. Lund</FONT> </P>
<P><FONT size=2>-----Original Message-----</FONT> <BR><FONT size=2>From:
Przyjazny, Martin [<A
href="mailto:martin.przyjazny at eds.com">mailto:martin.przyjazny at eds.com</A>]</FONT>
<BR><FONT size=2>Sent: 21 June 2001 14:11</FONT> <BR><FONT size=2>To:
'sunhelp at sunhelp.org'</FONT> <BR><FONT size=2>Subject: RE: [SunHELP] Root
Passwd</FONT> </P><BR>
<P><FONT size=2>Or instead of perpetuating the non-cooperative
spirit,</FONT> <BR><FONT size=2>talk to him frankly, and involve
management.</FONT> </P>
<P><FONT size=2>The sysadmin IS management.</FONT> </P>
<P><FONT size=2>From a sysadmin point of view there are limits to what a
user is and isn't</FONT> <BR><FONT size=2>allowed to do.</FONT> <BR><FONT
size=2>DIY privilege elevation is strictly on the "DO NOT" list. The user
has</FONT> <BR><FONT size=2>already proved to be </FONT><BR><FONT
size=2>uncooperative by not handing over the script/binary.</FONT> </P>
<P><FONT size=2>In most organisations such behaviour warrants disciplinary
action. If one of</FONT> <BR><FONT size=2>your users compromises a system
that you run what would your reaction be? A</FONT> <BR><FONT size=2>polite,
"please don't do that", isn't what's in the books. I think most</FONT>
<BR><FONT size=2>admins would use, "You're fired!"</FONT> </P>
<P><FONT size=2>I may sound harsh but I don't think I'm being
unreasonable.</FONT> </P><BR><BR><BR>
<P><FONT size=2>MetaPack</FONT> <BR><FONT size=2>The Lightwell
</FONT><BR><FONT size=2>12/16 Laystall Street </FONT><BR><FONT
size=2>Clerkenwell </FONT><BR><FONT size=2>London EC1R 4PF </FONT><BR><FONT
size=2>Tel: +44 (0) 20 7843 6720 </FONT><BR><FONT size=2>Fax: +44 (0) 20
7843 6721</FONT> <BR><FONT
size=2>--------------------------------------------------------------------------</FONT>
<BR><FONT size=2>This email is confidential and proprietary;
</FONT><BR><FONT size=2>all information contained in it must be used only by
the addressee in</FONT> <BR><FONT size=2>accordance with MetaPack's terms of
business and non-disclosure agreement. </FONT><BR><FONT size=2>Disclosure,
copying, and distribution to, or use by, anyone other than the</FONT>
<BR><FONT size=2>intended recipient is strictly prohibited and may be
unlawful.</FONT> <BR><FONT
size=2>_______________________________________________</FONT> <BR><FONT
size=2>SunHELP maillist - SunHELP at sunhelp.org</FONT> <BR><FONT
size=2><A href="http://www.sunhelp.org/mailman/listinfo/sunhelp"
target=_blank>http://www.sunhelp.org/mailman/listinfo/sunhelp</A></FONT>
</P><CODE><FONT size=3><BR><BR><BR><BR><FONT face="Times New Roman"
size=3><SPAN
style="mso-fareast-font-family: Times New Roman; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"><BR>-
- - - - - - Appended by Scientific-Atlanta, Inc. - - - - - - -<BR><SPAN
style="FONT-FAMILY: Times New Roman; FONT-SIZE: 10pt; mso-ansi-language: EN-US; mso-fareast-language: <BR>
EN-US; mso-bidi-language: AR-SA; BR>: 'Times New Roman'"></SPAN><FONT
face="Times New Roman" size=3><SPAN
style="mso-fareast-font-family: Times New Roman; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">This
e-mail and any attachments may contain information which is confidential,
proprietary, privileged or otherwise protected by law. The information is
solely intended for the named addressee (or a person responsible for
delivering it to the addressee). If you are not the intended recipient of
this message, you are not authorized to read, print, retain, copy or
disseminate this message or any part of it. If you have received this e-mail
in error, please notify the sender immediately by return e-mail and delete
it from your computer.</SPAN></FONT>
<P></P><BR><BR><BR></BLOCKQUOTE></BLOCKQUOTE></FONT></CODE></SPAN></FONT></BODY></HTML>
------_=_NextPart_001_01C0FB32.47416AE0--
More information about the SunHELP
mailing list