[SunHELP] Root Passwd

Fri Jun 22 11:40:36 CDT 2001

Since script works in subshell, when user types "exit" it brings him/her to
regular (not logged ) shell. Also, start / stop of scripting notification
along with log file location go to user's screen. If you try to redirect
output somewhere else, user session will hung.

Ivan

-----Original Message-----
From: Lund, Dennis [mailto:Dennis.Lund at sciatl.com]
Sent: Friday, June 22, 2001 10:56 AM
To: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Root Passwd

One way to find out what the user is up to would be to write a script like
this:

#!/bin/ksh
#
# This script is intended to log user command line activities.
# It will start the "script" command when a user opens a command terminal
# or xterm and log all commands that are typed in that window.
#
DATE=`date '+%m%d%y%H%M%n'`
UACCNT=`who -m | awk '{print $1}'`
PORTNUM=`who -m | awk '{print $2}' | cut -c1,2,3,5,6`
print $PORTNUM
FRHOST=`who -m | grep -v grep | grep <username> | cut -c39-59 | sed s/\)//`
LOG1=/var/adm/.script_log

print "Log in from:" > $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
/usr/bin/who -m >> $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
print "\n" >> $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE

/usr/bin/script -a $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE

Add a line to the end of the users .profile and the script will log
everything the use does
to the log file.  Try to hide the log file to make it more difficult for the
user to find it.  You can
even have it log to a remote machine.

You can modify this script to alert you as soon as the user logs in so you
can
tail the log file if you wish.

Dennis L. Lund

-----Original Message-----
From: Lund, Dennis [mailto:Dennis.Lund at sciatl.com]
Sent: Friday, June 22, 2001 8:58 AM
To: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Root Passwd

I would have to agree with this 100%.  If the person is not 
cooperating, take it to management.  A breach of security like 
this is totally unacceptable. 

Dennis L. Lund 

-----Original Message----- 
From: Przyjazny, Martin [ mailto:martin.przyjazny at eds.com
<mailto:martin.przyjazny at eds.com> ] 
Sent: 21 June 2001 14:11 
To: 'sunhelp at sunhelp.org' 
Subject: RE: [SunHELP] Root Passwd 

Or instead of perpetuating the non-cooperative spirit, 
talk to him frankly, and involve management. 

The sysadmin IS management. 

>From a sysadmin point of view there are limits to what a user is and isn't 
allowed to do. 
DIY privilege elevation is strictly on the "DO NOT" list. The user has 
already proved to be 
uncooperative by not handing over the script/binary. 

In most organisations such behaviour warrants disciplinary action. If one of

your users compromises a system that you run what would your reaction be? A 
polite, "please don't do that", isn't what's in the books. I think most 
admins would use, "You're fired!" 

I may sound harsh but I don't think I'm being unreasonable. 

MetaPack 
The Lightwell 
12/16 Laystall Street 
Clerkenwell 
London EC1R 4PF 
Tel: +44 (0) 20 7843 6720 
Fax: +44 (0) 20 7843 6721 
-------------------------------------------------------------------------- 
This email is confidential and proprietary; 
all information contained in it must be used only by the addressee in 
accordance with MetaPack's terms of business and non-disclosure agreement. 
Disclosure, copying, and distribution to, or use by, anyone other than the 
intended recipient is strictly prohibited and may be unlawful. 
_______________________________________________ 
SunHELP maillist  -  SunHELP at sunhelp.org 
http://www.sunhelp.org/mailman/listinfo/sunhelp
<http://www.sunhelp.org/mailman/listinfo/sunhelp>  

- - - - - - - Appended by Scientific-Atlanta, Inc. - - - - - - -

EN-US; mso-bidi-language: AR-SA; BR>: 'Times New Roman'">This e-mail and any
attachments may contain information which is confidential, proprietary,
privileged or otherwise protected by law. The information is solely intended
for the named addressee (or a person responsible for delivering it to the
addressee). If you are not the intended recipient of this message, you are
not authorized to read, print, retain, copy or disseminate this message or
any part of it. If you have received this e-mail in error, please notify the
sender immediately by return e-mail and delete it from your computer. 