[SunHELP] Root Passwd
Lund, Dennis
sunhelp at sunhelp.org
Fri Jun 22 15:38:06 CDT 2001
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C0FB5B.3DA8C400
Content-Type: text/plain;
charset="iso-8859-1"
You are correct. I have not yet found a way to redirect the
start/stop message from being displayed. If you can find a
way, the user wont know he is being logged, or where the log
is. Until you can redirect the display message you would have
to count on the user not being to observant, and hope he misses
the display message.
If you log to a remote machine and you might have a better
chance of catching him. Also modify the script to alert you
immediately when the user logs in.
Another option would to capture his .sh_history file. Write a
script that does a tail -f on the users .sh_history file when
he logs in and redirect that to another file that gets emailed
to you. That way you can see what commands he is typing as
well. Or just write a script that alerts you when he logs in
you can manually tail his .sh_history file.
Something like this will work and he will not know your watching
his .sh_history file unless he looks (ps -ef) and finds the
process.
#!/bin/ksh
#
MUSER=skippy
MUSER1=`who | grep skippy | grep -v grep | awk '{print $1}'`
PIDNUM=`ps -ef | grep $MUSER | grep tail | awk '{print $2}'`
if [[ $PIDNUM = "" ]]
then
if [[ $MUSER1 = $MUSER ]]
then
tail -f /export/home/$MUSER/.sh_history >> /var/adm/.logging/ztest
else
print "Skippy is not logged in."
PIDNUM=`ps -ef | grep $MUSER | grep tail | awk '{print $2}'`
if [[ $PIDNUM != "" ]]
then
kill $PIDNUM
else
print "PIDNUM is empty. No process to kill."
fi
fi
else
print "$MUSER is logged in and we are logging."
fi
With this you will at least be able to see what commands he
is running. This scripts should be run from cron every five
minutes or so.
Dennis L. Lund
-----Original Message-----
From: Kovalev, Ivan [mailto:IKovalev at ibes.com]
Sent: Friday, June 22, 2001 12:41 PM
To: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Root Passwd
Since script works in subshell, when user types "exit" it brings him/her to
regular (not logged ) shell. Also, start / stop of scripting notification
along with log file location go to user's screen. If you try to redirect
output somewhere else, user session will hung.
Ivan
-----Original Message-----
From: Lund, Dennis [mailto:Dennis.Lund at sciatl.com]
Sent: Friday, June 22, 2001 10:56 AM
To: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Root Passwd
One way to find out what the user is up to would be to write a script like
this:
#!/bin/ksh
#
# This script is intended to log user command line activities.
# It will start the "script" command when a user opens a command terminal
# or xterm and log all commands that are typed in that window.
#
DATE=`date '+%m%d%y%H%M%n'`
UACCNT=`who -m | awk '{print $1}'`
PORTNUM=`who -m | awk '{print $2}' | cut -c1,2,3,5,6`
print $PORTNUM
FRHOST=`who -m | grep -v grep | grep <username> | cut -c39-59 | sed s/\)//`
LOG1=/var/adm/.script_log
print "Log in from:" > $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
/usr/bin/who -m >> $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
print "\n" >> $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
/usr/bin/script -a $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
Add a line to the end of the users .profile and the script will log
everything the use does
to the log file. Try to hide the log file to make it more difficult for the
user to find it. You can
even have it log to a remote machine.
You can modify this script to alert you as soon as the user logs in so you
can
tail the log file if you wish.
Dennis L. Lund
-----Original Message-----
From: Lund, Dennis [mailto:Dennis.Lund at sciatl.com]
Sent: Friday, June 22, 2001 8:58 AM
To: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Root Passwd
I would have to agree with this 100%. If the person is not
cooperating, take it to management. A breach of security like
this is totally unacceptable.
Dennis L. Lund
-----Original Message-----
From: Przyjazny, Martin [ mailto:martin.przyjazny at eds.com
<mailto:martin.przyjazny at eds.com> ]
Sent: 21 June 2001 14:11
To: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Root Passwd
Or instead of perpetuating the non-cooperative spirit,
talk to him frankly, and involve management.
The sysadmin IS management.
>From a sysadmin point of view there are limits to what a user is and isn't
allowed to do.
DIY privilege elevation is strictly on the "DO NOT" list. The user has
already proved to be
uncooperative by not handing over the script/binary.
In most organisations such behaviour warrants disciplinary action. If one of
your users compromises a system that you run what would your reaction be? A
polite, "please don't do that", isn't what's in the books. I think most
admins would use, "You're fired!"
I may sound harsh but I don't think I'm being unreasonable.
MetaPack
The Lightwell
12/16 Laystall Street
Clerkenwell
London EC1R 4PF
Tel: +44 (0) 20 7843 6720
Fax: +44 (0) 20 7843 6721
--------------------------------------------------------------------------
This email is confidential and proprietary;
all information contained in it must be used only by the addressee in
accordance with MetaPack's terms of business and non-disclosure agreement.
Disclosure, copying, and distribution to, or use by, anyone other than the
intended recipient is strictly prohibited and may be unlawful.
_______________________________________________
SunHELP maillist - SunHELP at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/sunhelp
<http://www.sunhelp.org/mailman/listinfo/sunhelp>
- - - - - - - Appended by Scientific-Atlanta, Inc. - - - - - - -
EN-US; mso-bidi-language: AR-SA; BR>: 'Times New Roman'">This e-mail and any
attachments may contain information which is confidential, proprietary,
privileged or otherwise protected by law. The information is solely intended
for the named addressee (or a person responsible for delivering it to the
addressee). If you are not the intended recipient of this message, you are
not authorized to read, print, retain, copy or disseminate this message or
any part of it. If you have received this e-mail in error, please notify the
sender immediately by return e-mail and delete it from your computer.
_______________________________________________
SunHELP maillist - SunHELP at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/sunhelp
------_=_NextPart_001_01C0FB5B.3DA8C400
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [SunHELP] Root Passwd</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>You are correct. I have not yet found a way to redirect the </FONT>
<BR><FONT SIZE=2>start/stop message from being displayed. If you can find a</FONT>
<BR><FONT SIZE=2>way, the user wont know he is being logged, or where the log</FONT>
<BR><FONT SIZE=2>is. Until you can redirect the display message you would have</FONT>
<BR><FONT SIZE=2>to count on the user not being to observant, and hope he misses</FONT>
<BR><FONT SIZE=2>the display message.</FONT>
</P>
<P><FONT SIZE=2>If you log to a remote machine and you might have a better </FONT>
<BR><FONT SIZE=2>chance of catching him. Also modify the script to alert you</FONT>
<BR><FONT SIZE=2>immediately when the user logs in.</FONT>
</P>
<P><FONT SIZE=2>Another option would to capture his .sh_history file. Write a</FONT>
<BR><FONT SIZE=2>script that does a tail -f on the users .sh_history file when</FONT>
<BR><FONT SIZE=2>he logs in and redirect that to another file that gets emailed </FONT>
<BR><FONT SIZE=2>to you. That way you can see what commands he is typing as</FONT>
<BR><FONT SIZE=2>well. Or just write a script that alerts you when he logs in</FONT>
<BR><FONT SIZE=2>you can manually tail his .sh_history file.</FONT>
</P>
<P><FONT SIZE=2>Something like this will work and he will not know your watching</FONT>
<BR><FONT SIZE=2>his .sh_history file unless he looks (ps -ef) and finds the</FONT>
<BR><FONT SIZE=2>process.</FONT>
</P>
<P><FONT SIZE=2>#!/bin/ksh</FONT>
<BR><FONT SIZE=2>#</FONT>
</P>
<P><FONT SIZE=2>MUSER=skippy</FONT>
<BR><FONT SIZE=2>MUSER1=`who | grep skippy | grep -v grep | awk '{print $1}'`</FONT>
<BR><FONT SIZE=2>PIDNUM=`ps -ef | grep $MUSER | grep tail | awk '{print $2}'`</FONT>
</P>
<P><FONT SIZE=2>if [[ $PIDNUM = "" ]]</FONT>
<BR><FONT SIZE=2>then</FONT>
<BR><FONT SIZE=2> if [[ $MUSER1 = $MUSER ]]</FONT>
<BR><FONT SIZE=2> then</FONT>
</P>
<P><FONT SIZE=2> tail -f /export/home/$MUSER/.sh_history >> /var/adm/.logging/ztest</FONT>
</P>
<P><FONT SIZE=2> else</FONT>
</P>
<P><FONT SIZE=2> print "Skippy is not logged in."</FONT>
<BR><FONT SIZE=2> PIDNUM=`ps -ef | grep $MUSER | grep tail | awk '{print $2}'`</FONT>
</P>
<P><FONT SIZE=2> if [[ $PIDNUM != "" ]]</FONT>
<BR><FONT SIZE=2> then</FONT>
</P>
<P><FONT SIZE=2> kill $PIDNUM</FONT>
</P>
<P><FONT SIZE=2> else</FONT>
</P>
<P><FONT SIZE=2> print "PIDNUM is empty. No process to kill."</FONT>
</P>
<P><FONT SIZE=2> fi</FONT>
<BR><FONT SIZE=2> fi</FONT>
</P>
<P><FONT SIZE=2>else</FONT>
</P>
<P><FONT SIZE=2> print "$MUSER is logged in and we are logging."</FONT>
</P>
<P><FONT SIZE=2>fi</FONT>
</P>
<P><FONT SIZE=2>With this you will at least be able to see what commands he</FONT>
<BR><FONT SIZE=2>is running. This scripts should be run from cron every five</FONT>
<BR><FONT SIZE=2>minutes or so.</FONT>
</P>
<P><FONT SIZE=2>Dennis L. Lund</FONT>
<BR><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Kovalev, Ivan [<A HREF="mailto:IKovalev at ibes.com">mailto:IKovalev at ibes.com</A>]</FONT>
<BR><FONT SIZE=2>Sent: Friday, June 22, 2001 12:41 PM</FONT>
<BR><FONT SIZE=2>To: 'sunhelp at sunhelp.org'</FONT>
<BR><FONT SIZE=2>Subject: RE: [SunHELP] Root Passwd</FONT>
</P>
<BR>
<P><FONT SIZE=2>Since script works in subshell, when user types "exit" it brings him/her to</FONT>
<BR><FONT SIZE=2>regular (not logged ) shell. Also, start / stop of scripting notification</FONT>
<BR><FONT SIZE=2>along with log file location go to user's screen. If you try to redirect</FONT>
<BR><FONT SIZE=2>output somewhere else, user session will hung.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>Ivan</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Lund, Dennis [<A HREF="mailto:Dennis.Lund at sciatl.com">mailto:Dennis.Lund at sciatl.com</A>]</FONT>
<BR><FONT SIZE=2>Sent: Friday, June 22, 2001 10:56 AM</FONT>
<BR><FONT SIZE=2>To: 'sunhelp at sunhelp.org'</FONT>
<BR><FONT SIZE=2>Subject: RE: [SunHELP] Root Passwd</FONT>
</P>
<BR>
<P><FONT SIZE=2>One way to find out what the user is up to would be to write a script like</FONT>
<BR><FONT SIZE=2>this:</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>#!/bin/ksh</FONT>
<BR><FONT SIZE=2>#</FONT>
<BR><FONT SIZE=2># This script is intended to log user command line activities.</FONT>
<BR><FONT SIZE=2># It will start the "script" command when a user opens a command terminal</FONT>
<BR><FONT SIZE=2># or xterm and log all commands that are typed in that window.</FONT>
<BR><FONT SIZE=2>#</FONT>
<BR><FONT SIZE=2>DATE=`date '+%m%d%y%H%M%n'`</FONT>
<BR><FONT SIZE=2>UACCNT=`who -m | awk '{print $1}'`</FONT>
<BR><FONT SIZE=2>PORTNUM=`who -m | awk '{print $2}' | cut -c1,2,3,5,6`</FONT>
<BR><FONT SIZE=2>print $PORTNUM</FONT>
<BR><FONT SIZE=2>FRHOST=`who -m | grep -v grep | grep <username> | cut -c39-59 | sed s/\)//`</FONT>
<BR><FONT SIZE=2>LOG1=/var/adm/.script_log</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>print "Log in from:" > $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE</FONT>
<BR><FONT SIZE=2>/usr/bin/who -m >> $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE</FONT>
<BR><FONT SIZE=2>print "\n" >> $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>/usr/bin/script -a $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>Add a line to the end of the users .profile and the script will log</FONT>
<BR><FONT SIZE=2>everything the use does</FONT>
<BR><FONT SIZE=2>to the log file. Try to hide the log file to make it more difficult for the</FONT>
<BR><FONT SIZE=2>user to find it. You can</FONT>
<BR><FONT SIZE=2>even have it log to a remote machine.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>You can modify this script to alert you as soon as the user logs in so you</FONT>
<BR><FONT SIZE=2>can</FONT>
<BR><FONT SIZE=2>tail the log file if you wish.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>Dennis L. Lund</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Lund, Dennis [<A HREF="mailto:Dennis.Lund at sciatl.com">mailto:Dennis.Lund at sciatl.com</A>]</FONT>
<BR><FONT SIZE=2>Sent: Friday, June 22, 2001 8:58 AM</FONT>
<BR><FONT SIZE=2>To: 'sunhelp at sunhelp.org'</FONT>
<BR><FONT SIZE=2>Subject: RE: [SunHELP] Root Passwd</FONT>
</P>
<BR>
<BR>
<BR>
<BR>
<P><FONT SIZE=2>I would have to agree with this 100%. If the person is not </FONT>
<BR><FONT SIZE=2>cooperating, take it to management. A breach of security like </FONT>
<BR><FONT SIZE=2>this is totally unacceptable. </FONT>
</P>
<P><FONT SIZE=2>Dennis L. Lund </FONT>
</P>
<P><FONT SIZE=2>-----Original Message----- </FONT>
<BR><FONT SIZE=2>From: Przyjazny, Martin [ <A HREF="mailto:martin.przyjazny at eds.com">mailto:martin.przyjazny at eds.com</A></FONT>
<BR><FONT SIZE=2><<A HREF="mailto:martin.przyjazny at eds.com">mailto:martin.przyjazny at eds.com</A>> ] </FONT>
<BR><FONT SIZE=2>Sent: 21 June 2001 14:11 </FONT>
<BR><FONT SIZE=2>To: 'sunhelp at sunhelp.org' </FONT>
<BR><FONT SIZE=2>Subject: RE: [SunHELP] Root Passwd </FONT>
</P>
<BR>
<P><FONT SIZE=2>Or instead of perpetuating the non-cooperative spirit, </FONT>
<BR><FONT SIZE=2>talk to him frankly, and involve management. </FONT>
</P>
<P><FONT SIZE=2>The sysadmin IS management. </FONT>
</P>
<P><FONT SIZE=2>From a sysadmin point of view there are limits to what a user is and isn't </FONT>
<BR><FONT SIZE=2>allowed to do. </FONT>
<BR><FONT SIZE=2>DIY privilege elevation is strictly on the "DO NOT" list. The user has </FONT>
<BR><FONT SIZE=2>already proved to be </FONT>
<BR><FONT SIZE=2>uncooperative by not handing over the script/binary. </FONT>
</P>
<P><FONT SIZE=2>In most organisations such behaviour warrants disciplinary action. If one of</FONT>
</P>
<P><FONT SIZE=2>your users compromises a system that you run what would your reaction be? A </FONT>
<BR><FONT SIZE=2>polite, "please don't do that", isn't what's in the books. I think most </FONT>
<BR><FONT SIZE=2>admins would use, "You're fired!" </FONT>
</P>
<P><FONT SIZE=2>I may sound harsh but I don't think I'm being unreasonable. </FONT>
</P>
<BR>
<BR>
<BR>
<P><FONT SIZE=2>MetaPack </FONT>
<BR><FONT SIZE=2>The Lightwell </FONT>
<BR><FONT SIZE=2>12/16 Laystall Street </FONT>
<BR><FONT SIZE=2>Clerkenwell </FONT>
<BR><FONT SIZE=2>London EC1R 4PF </FONT>
<BR><FONT SIZE=2>Tel: +44 (0) 20 7843 6720 </FONT>
<BR><FONT SIZE=2>Fax: +44 (0) 20 7843 6721 </FONT>
<BR><FONT SIZE=2>-------------------------------------------------------------------------- </FONT>
<BR><FONT SIZE=2>This email is confidential and proprietary; </FONT>
<BR><FONT SIZE=2>all information contained in it must be used only by the addressee in </FONT>
<BR><FONT SIZE=2>accordance with MetaPack's terms of business and non-disclosure agreement. </FONT>
<BR><FONT SIZE=2>Disclosure, copying, and distribution to, or use by, anyone other than the </FONT>
<BR><FONT SIZE=2>intended recipient is strictly prohibited and may be unlawful. </FONT>
<BR><FONT SIZE=2>_______________________________________________ </FONT>
<BR><FONT SIZE=2>SunHELP maillist - SunHELP at sunhelp.org </FONT>
<BR><FONT SIZE=2><A HREF="http://www.sunhelp.org/mailman/listinfo/sunhelp" TARGET="_blank">http://www.sunhelp.org/mailman/listinfo/sunhelp</A></FONT>
<BR><FONT SIZE=2><<A HREF="http://www.sunhelp.org/mailman/listinfo/sunhelp" TARGET="_blank">http://www.sunhelp.org/mailman/listinfo/sunhelp</A>> </FONT>
</P>
<BR>
<BR>
<BR>
<BR>
<BR>
<P><FONT SIZE=2>- - - - - - - Appended by Scientific-Atlanta, Inc. - - - - - - -</FONT>
</P>
<P><FONT SIZE=2>EN-US; mso-bidi-language: AR-SA; BR>: 'Times New Roman'">This e-mail and any</FONT>
<BR><FONT SIZE=2>attachments may contain information which is confidential, proprietary,</FONT>
<BR><FONT SIZE=2>privileged or otherwise protected by law. The information is solely intended</FONT>
<BR><FONT SIZE=2>for the named addressee (or a person responsible for delivering it to the</FONT>
<BR><FONT SIZE=2>addressee). If you are not the intended recipient of this message, you are</FONT>
<BR><FONT SIZE=2>not authorized to read, print, retain, copy or disseminate this message or</FONT>
<BR><FONT SIZE=2>any part of it. If you have received this e-mail in error, please notify the</FONT>
<BR><FONT SIZE=2>sender immediately by return e-mail and delete it from your computer. </FONT>
</P>
<BR>
<BR>
<BR>
<BR>
<BR>
<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>SunHELP maillist - SunHELP at sunhelp.org</FONT>
<BR><FONT SIZE=2><A HREF="http://www.sunhelp.org/mailman/listinfo/sunhelp" TARGET="_blank">http://www.sunhelp.org/mailman/listinfo/sunhelp</A></FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C0FB5B.3DA8C400--
More information about the SunHELP
mailing list