[SunHELP] Root Passwd

Fri Jun 22 15:38:06 CDT 2001

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C0FB5B.3DA8C400
Content-Type: text/plain;
	charset="iso-8859-1"

You are correct.  I have not yet found a way to redirect the 
start/stop message from being displayed.  If you can find a
way, the user wont know he is being logged, or where the log
is.  Until you can redirect the display message you would have
to count on the user not being to observant, and hope he misses
the display message.

If you log to a remote machine and you might have a better 
chance of catching him.  Also modify the script to alert you
immediately when the user logs in.

Another option would to capture his .sh_history file.  Write a
script that does a tail -f on the users .sh_history file when
he logs in and redirect that to another file that gets emailed 
to you.  That way you can see what commands he is typing as
well.  Or just write a script that alerts you when he logs in
you can manually tail his .sh_history file.

Something like this will work and he will not know your watching
his .sh_history file unless he looks (ps -ef) and finds the
process.

#!/bin/ksh
#

MUSER=skippy
MUSER1=`who | grep skippy | grep -v grep | awk '{print $1}'`
PIDNUM=`ps -ef | grep $MUSER | grep tail | awk '{print $2}'`

if [[ $PIDNUM = "" ]]
then
   if [[ $MUSER1 = $MUSER ]]
   then

      tail -f /export/home/$MUSER/.sh_history >>  /var/adm/.logging/ztest

   else

      print "Skippy is not logged in."
      PIDNUM=`ps -ef | grep $MUSER | grep tail | awk '{print $2}'`

      if [[ $PIDNUM != "" ]]
      then

         kill $PIDNUM

      else

         print "PIDNUM is empty.  No process to kill."

      fi
   fi

else

   print "$MUSER is logged in and we are logging."

fi

With this you will at least be able to see what commands he
is running.  This scripts should be run from cron every five
minutes or so.

Dennis L. Lund
-----Original Message-----
From: Kovalev, Ivan [mailto:IKovalev at ibes.com]
Sent: Friday, June 22, 2001 12:41 PM
To: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Root Passwd

Since script works in subshell, when user types "exit" it brings him/her to
regular (not logged ) shell. Also, start / stop of scripting notification
along with log file location go to user's screen. If you try to redirect
output somewhere else, user session will hung.

Ivan

-----Original Message-----
From: Lund, Dennis [mailto:Dennis.Lund at sciatl.com]
Sent: Friday, June 22, 2001 10:56 AM
To: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Root Passwd

One way to find out what the user is up to would be to write a script like
this:

#!/bin/ksh
#
# This script is intended to log user command line activities.
# It will start the "script" command when a user opens a command terminal
# or xterm and log all commands that are typed in that window.
#
DATE=`date '+%m%d%y%H%M%n'`
UACCNT=`who -m | awk '{print $1}'`
PORTNUM=`who -m | awk '{print $2}' | cut -c1,2,3,5,6`
print $PORTNUM
FRHOST=`who -m | grep -v grep | grep <username> | cut -c39-59 | sed s/\)//`
LOG1=/var/adm/.script_log

print "Log in from:" > $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
/usr/bin/who -m >> $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
print "\n" >> $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE

/usr/bin/script -a $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE

Add a line to the end of the users .profile and the script will log
everything the use does
to the log file.  Try to hide the log file to make it more difficult for the
user to find it.  You can
even have it log to a remote machine.

You can modify this script to alert you as soon as the user logs in so you
can
tail the log file if you wish.

Dennis L. Lund

-----Original Message-----
From: Lund, Dennis [mailto:Dennis.Lund at sciatl.com]
Sent: Friday, June 22, 2001 8:58 AM
To: 'sunhelp at sunhelp.org'
Subject: RE: [SunHELP] Root Passwd

I would have to agree with this 100%.  If the person is not 
cooperating, take it to management.  A breach of security like 
this is totally unacceptable. 

Dennis L. Lund 

-----Original Message----- 
From: Przyjazny, Martin [ mailto:martin.przyjazny at eds.com
<mailto:martin.przyjazny at eds.com> ] 
Sent: 21 June 2001 14:11 
To: 'sunhelp at sunhelp.org' 
Subject: RE: [SunHELP] Root Passwd 

Or instead of perpetuating the non-cooperative spirit, 
talk to him frankly, and involve management. 

The sysadmin IS management. 

>From a sysadmin point of view there are limits to what a user is and isn't 
allowed to do. 
DIY privilege elevation is strictly on the "DO NOT" list. The user has 
already proved to be 
uncooperative by not handing over the script/binary. 

In most organisations such behaviour warrants disciplinary action. If one of

your users compromises a system that you run what would your reaction be? A 
polite, "please don't do that", isn't what's in the books. I think most 
admins would use, "You're fired!" 

I may sound harsh but I don't think I'm being unreasonable. 

MetaPack 
The Lightwell 
12/16 Laystall Street 
Clerkenwell 
London EC1R 4PF 
Tel: +44 (0) 20 7843 6720 
Fax: +44 (0) 20 7843 6721 
-------------------------------------------------------------------------- 
This email is confidential and proprietary; 
all information contained in it must be used only by the addressee in 
accordance with MetaPack's terms of business and non-disclosure agreement. 
Disclosure, copying, and distribution to, or use by, anyone other than the 
intended recipient is strictly prohibited and may be unlawful. 
_______________________________________________ 
SunHELP maillist  -  SunHELP at sunhelp.org 
http://www.sunhelp.org/mailman/listinfo/sunhelp
<http://www.sunhelp.org/mailman/listinfo/sunhelp>  

- - - - - - - Appended by Scientific-Atlanta, Inc. - - - - - - -

EN-US; mso-bidi-language: AR-SA; BR>: 'Times New Roman'">This e-mail and any
attachments may contain information which is confidential, proprietary,
privileged or otherwise protected by law. The information is solely intended
for the named addressee (or a person responsible for delivering it to the
addressee). If you are not the intended recipient of this message, you are
not authorized to read, print, retain, copy or disseminate this message or
any part of it. If you have received this e-mail in error, please notify the
sender immediately by return e-mail and delete it from your computer. 

_______________________________________________
SunHELP maillist  -  SunHELP at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/sunhelp

------_=_NextPart_001_01C0FB5B.3DA8C400
Content-Type: text/html;
	charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [SunHELP] Root Passwd</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=2>You are correct.  I have not yet found a way to redirect the </FONT>
<BR><FONT SIZE=2>start/stop message from being displayed.  If you can find a</FONT>
<BR><FONT SIZE=2>way, the user wont know he is being logged, or where the log</FONT>
<BR><FONT SIZE=2>is.  Until you can redirect the display message you would have</FONT>
<BR><FONT SIZE=2>to count on the user not being to observant, and hope he misses</FONT>
<BR><FONT SIZE=2>the display message.</FONT>
</P>

<P><FONT SIZE=2>If you log to a remote machine and you might have a better </FONT>
<BR><FONT SIZE=2>chance of catching him.  Also modify the script to alert you</FONT>
<BR><FONT SIZE=2>immediately when the user logs in.</FONT>
</P>

<P><FONT SIZE=2>Another option would to capture his .sh_history file.  Write a</FONT>
<BR><FONT SIZE=2>script that does a tail -f on the users .sh_history file when</FONT>
<BR><FONT SIZE=2>he logs in and redirect that to another file that gets emailed </FONT>
<BR><FONT SIZE=2>to you.  That way you can see what commands he is typing as</FONT>
<BR><FONT SIZE=2>well.  Or just write a script that alerts you when he logs in</FONT>
<BR><FONT SIZE=2>you can manually tail his .sh_history file.</FONT>
</P>

<P><FONT SIZE=2>Something like this will work and he will not know your watching</FONT>
<BR><FONT SIZE=2>his .sh_history file unless he looks (ps -ef) and finds the</FONT>
<BR><FONT SIZE=2>process.</FONT>
</P>

<P><FONT SIZE=2>#!/bin/ksh</FONT>
<BR><FONT SIZE=2>#</FONT>
</P>

<P><FONT SIZE=2>MUSER=skippy</FONT>
<BR><FONT SIZE=2>MUSER1=`who | grep skippy | grep -v grep | awk '{print $1}'`</FONT>
<BR><FONT SIZE=2>PIDNUM=`ps -ef | grep $MUSER | grep tail | awk '{print $2}'`</FONT>
</P>

<P><FONT SIZE=2>if [[ $PIDNUM = "" ]]</FONT>
<BR><FONT SIZE=2>then</FONT>
<BR><FONT SIZE=2>   if [[ $MUSER1 = $MUSER ]]</FONT>
<BR><FONT SIZE=2>   then</FONT>
</P>

<P><FONT SIZE=2>      tail -f /export/home/$MUSER/.sh_history >>  /var/adm/.logging/ztest</FONT>
</P>

<P><FONT SIZE=2>   else</FONT>
</P>

<P><FONT SIZE=2>      print "Skippy is not logged in."</FONT>
<BR><FONT SIZE=2>      PIDNUM=`ps -ef | grep $MUSER | grep tail | awk '{print $2}'`</FONT>
</P>

<P><FONT SIZE=2>      if [[ $PIDNUM != "" ]]</FONT>
<BR><FONT SIZE=2>      then</FONT>
</P>

<P><FONT SIZE=2>         kill $PIDNUM</FONT>
</P>

<P><FONT SIZE=2>      else</FONT>
</P>

<P><FONT SIZE=2>         print "PIDNUM is empty.  No process to kill."</FONT>
</P>

<P><FONT SIZE=2>      fi</FONT>
<BR><FONT SIZE=2>   fi</FONT>
</P>

<P><FONT SIZE=2>else</FONT>
</P>

<P><FONT SIZE=2>   print "$MUSER is logged in and we are logging."</FONT>
</P>

<P><FONT SIZE=2>fi</FONT>
</P>

<P><FONT SIZE=2>With this you will at least be able to see what commands he</FONT>
<BR><FONT SIZE=2>is running.  This scripts should be run from cron every five</FONT>
<BR><FONT SIZE=2>minutes or so.</FONT>
</P>

Dennis L. Lund
 -----Original Message-----
 From: Kovalev, Ivan [<A HREF="mailto:IKovalev at ibes.com">mailto:IKovalev at ibes.com</A>]
 Sent: Friday, June 22, 2001 12:41 PM
 To: 'sunhelp at sunhelp.org'
 Subject: RE: [SunHELP] Root Passwd

Since script works in subshell, when user types "exit" it brings him/her to
 regular (not logged ) shell. Also, start / stop of scripting notification
 along with log file location go to user's screen. If you try to redirect
 output somewhere else, user session will hung.
  
 Ivan

<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Lund, Dennis [<A HREF="mailto:Dennis.Lund at sciatl.com">mailto:Dennis.Lund at sciatl.com</A>]</FONT>
<BR><FONT SIZE=2>Sent: Friday, June 22, 2001 10:56 AM</FONT>
<BR><FONT SIZE=2>To: 'sunhelp at sunhelp.org'</FONT>
<BR><FONT SIZE=2>Subject: RE: [SunHELP] Root Passwd</FONT>
</P>
<BR>

One way to find out what the user is up to would be to write a script like
 this:
  
 #!/bin/ksh
 #
 # This script is intended to log user command line activities.
 # It will start the "script" command when a user opens a command terminal
 # or xterm and log all commands that are typed in that window.
 #
 DATE=`date '+%m%d%y%H%M%n'`
 UACCNT=`who -m | awk '{print $1}'`
 PORTNUM=`who -m | awk '{print $2}' | cut -c1,2,3,5,6`
 print $PORTNUM
 FRHOST=`who -m | grep -v grep | grep <username> | cut -c39-59 | sed s/\)//`
 LOG1=/var/adm/.script_log
  
 print "Log in from:" > $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
 /usr/bin/who -m >> $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
 print "\n" >> $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
  
 /usr/bin/script -a $LOG1/$UACCNT.$PORTNUM.$FRHOST.$DATE
  
 Add a line to the end of the users .profile and the script will log
 everything the use does
 to the log file.  Try to hide the log file to make it more difficult for the
 user to find it.  You can
 even have it log to a remote machine.
  
 You can modify this script to alert you as soon as the user logs in so you
 can
 tail the log file if you wish.
  
 Dennis L. Lund

<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Lund, Dennis [<A HREF="mailto:Dennis.Lund at sciatl.com">mailto:Dennis.Lund at sciatl.com</A>]</FONT>
<BR><FONT SIZE=2>Sent: Friday, June 22, 2001 8:58 AM</FONT>
<BR><FONT SIZE=2>To: 'sunhelp at sunhelp.org'</FONT>
<BR><FONT SIZE=2>Subject: RE: [SunHELP] Root Passwd</FONT>
</P>
<BR>
<BR>
<BR>
<BR>

I would have to agree with this 100%.  If the person is not 
 cooperating, take it to management.  A breach of security like 
 this is totally unacceptable.

<P><FONT SIZE=2>Dennis L. Lund </FONT>
</P>

<P><FONT SIZE=2>-----Original Message----- </FONT>
<BR><FONT SIZE=2>From: Przyjazny, Martin [ <A HREF="mailto:martin.przyjazny at eds.com">mailto:martin.przyjazny at eds.com</A></FONT>
<BR><FONT SIZE=2><<A HREF="mailto:martin.przyjazny at eds.com">mailto:martin.przyjazny at eds.com</A>> ] </FONT>
<BR><FONT SIZE=2>Sent: 21 June 2001 14:11 </FONT>
<BR><FONT SIZE=2>To: 'sunhelp at sunhelp.org' </FONT>
<BR><FONT SIZE=2>Subject: RE: [SunHELP] Root Passwd </FONT>
</P>
<BR>

Or instead of perpetuating the non-cooperative spirit, 
 talk to him frankly, and involve management.

The sysadmin IS management.

From a sysadmin point of view there are limits to what a user is and isn't 
 allowed to do. 
 DIY privilege elevation is strictly on the "DO NOT" list. The user has 
 already proved to be 
 uncooperative by not handing over the script/binary.

In most organisations such behaviour warrants disciplinary action. If one of

your users compromises a system that you run what would your reaction be? A 
 polite, "please don't do that", isn't what's in the books. I think most 
 admins would use, "You're fired!"

I may sound harsh but I don't think I'm being unreasonable.

MetaPack 
 The Lightwell 
 12/16 Laystall Street 
 Clerkenwell 
 London EC1R 4PF 
 Tel: +44 (0) 20 7843 6720 
 Fax: +44 (0) 20 7843 6721 
 -------------------------------------------------------------------------- 
 This email is confidential and proprietary; 
 all information contained in it must be used only by the addressee in 
 accordance with MetaPack's terms of business and non-disclosure agreement. 
 Disclosure, copying, and distribution to, or use by, anyone other than the 
 intended recipient is strictly prohibited and may be unlawful. 
 _______________________________________________ 
 SunHELP maillist  -  SunHELP at sunhelp.org 
 <A HREF="http://www.sunhelp.org/mailman/listinfo/sunhelp" TARGET="_blank">http://www.sunhelp.org/mailman/listinfo/sunhelp</A>
 <<A HREF="http://www.sunhelp.org/mailman/listinfo/sunhelp" TARGET="_blank">http://www.sunhelp.org/mailman/listinfo/sunhelp</A>>

<P><FONT SIZE=2>- - - - - - - Appended by Scientific-Atlanta, Inc. - - - - - - -</FONT>
</P>

EN-US; mso-bidi-language: AR-SA; BR>: 'Times New Roman'">This e-mail and any
 attachments may contain information which is confidential, proprietary,
 privileged or otherwise protected by law. The information is solely intended
 for the named addressee (or a person responsible for delivering it to the
 addressee). If you are not the intended recipient of this message, you are
 not authorized to read, print, retain, copy or disseminate this message or
 any part of it. If you have received this e-mail in error, please notify the
 sender immediately by return e-mail and delete it from your computer.

<P><FONT SIZE=2>_______________________________________________</FONT>
<BR><FONT SIZE=2>SunHELP maillist  -  SunHELP at sunhelp.org</FONT>
<BR><FONT SIZE=2><A HREF="http://www.sunhelp.org/mailman/listinfo/sunhelp" TARGET="_blank">http://www.sunhelp.org/mailman/listinfo/sunhelp</A></FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C0FB5B.3DA8C400--