Hello, What do you recommend for keeping track of user activities? For preserving bash histories I followed these recommendations: http://www.defcon1.org/secure-command.html They include using 'chflags sappnd .bash_history', enabling process accounting, and the like. My goal is to "watch the watchers," i.e. watch for abuse of power by SOC people with the ability to view traffic captured by sniffers. I plan to use sudo to limit and audit user activities too. I may also try some of the patches to bash listed at project.honeynet.org which send keystrokes to a remote server. Hardware keystroke logging is always a possibility. For more, should I turn to TrustedBSD integration in a future 5.x release? Thank you, Richard Bejtlich http://www.taosecurity.com __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus
--- Richard Bejtlich <richard_bejtlich@yahoo.com> wrote:> > My goal is to "watch the watchers," i.e. watch for > abuse of power by SOC people with the ability to view > traffic captured by sniffers. >Have you considered snooping ttys (man watch, man snp)? It doesn't seem to be scalable, but I've only tinkered. ====----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus
On Tue, Jan 06, 2004 at 01:04:30PM -0800, Richard Bejtlich wrote:> What do you recommend for keeping track of user > activities? For preserving bash histories I followed > these recommendations: > > http://www.defcon1.org/secure-command.htmlThis was a very interesting article, thanks for that. I made a note of it on my blog where you can also find a perl script I wrote a while ago to report on the history usage of all users logging in on a certain date - I run it daily via cron to report on shell usage for the current day. The article is here: http://jez.hancock-family.com/archives/37_Securing_Users_Shell_Command_History.html> My goal is to "watch the watchers," i.e. watch for > abuse of power by SOC people with the ability to view > traffic captured by sniffers. > > I plan to use sudo to limit and audit user activities > too. I may also try some of the patches to bash > listed at project.honeynet.org which send keystrokes > to a remote server. Hardware keystroke logging is > always a possibility.As someone already mentioned, the snp driver is used by the watch(8) utility to allow an admin to snoop on what users are doing on a tty. This even allows you as an admin to actually interact with another user's tty session (never fails to be amusing:P) and can be a very good tool to help when demonstrating something for a user in their shell. There's a good article on setting up watch(8) here: http://www.freebsddiary.org/watch.php There's also a port around that uses snp to log tty sessions. IIRC the app is in /usr/ports/security/termlog - when I had a brief look at it it didn't seem too practical for logging all user's tty sessions, but it might give you some ideas. Good luck. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - personal weblog http://ipfwstats.sf.net/ - ipfw peruser traffic logging
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> What do you recommend for keeping track of user > activities? For preserving bash histories I followed > these recommendations: > > http://www.defcon1.org/secure-command.html > > They include using 'chflags sappnd .bash_history',I think that this has come up on this list before - check the archives. anyway, my feeling on this is that relying on shell history tricks is entirely the wrong approach - anyone who's going to be abusing a system is going to turn off shell history first thing. Any silly tricks you do to try and prevent that can easily be worked around by using another shell, or by running commands through a mechanism other than the shell (:!command in vi, cat | xargs perl -ple 'system "$_"', etc). sniffing tty's is a step up, though it's still possible to log in through ssh/rsh and run commands without allocating a tty. be cautious about sniffing tty's, though - if users log into other systems from this system, or if they connect to services running locally that require authentication, you'll be collecting a tidy pile of very sensitive information all in one place, making for easy stealing. consider using crypto, streaming to another, more hardened host, securely destroying the logs on a regular basis, etc. and of course you should consider the legal and ethical issues implicated by keystroke logging.... finally, process accounting will universally collect info on every process that gets run, but it looks like it doesn't log arguments and that it caps command names to sixteen characters, which is kind of limiting. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/+2+DswXMWWtptckRArPiAKCQHnlWgWothPwydKju+4NAOwDqQwCfSJVD aVA1fq9IUiBhYFh0yAShcVQ=pNg+ -----END PGP SIGNATURE-----
On Tue, 6 Jan 2004, Richard Bejtlich wrote:> What do you recommend for keeping track of user activities? For > preserving bash histories I followed these recommendations: > > http://www.defcon1.org/secure-command.html > > They include using 'chflags sappnd .bash_history', enabling process > accounting, and the like. > > My goal is to "watch the watchers," i.e. watch for abuse of power by SOC > people with the ability to view traffic captured by sniffers. > > I plan to use sudo to limit and audit user activities too. I may also > try some of the patches to bash listed at project.honeynet.org which > send keystrokes to a remote server. Hardware keystroke logging is > always a possibility. > > For more, should I turn to TrustedBSD integration in a future 5.x > release?One of the "Coming soon" features for the next year will be Audit support for FreeBSD, based on some work we did on a related operating system platform. There's been some prior work on Audit on FreeBSD, but it's never been completed and merged. However, Audit requires some fairly extensive changes, so I wouldn't look for it before August of 2004, I think. I've been vaguely thinking about taking a few weeks off work to jumpstart it, but I haven't really found time. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research
On Tue, Jan 06, 2004 at 01:04:30PM -0800, Richard Bejtlich wrote: +> They include using 'chflags sappnd .bash_history', +> enabling process accounting, and the like. +> +> My goal is to "watch the watchers," i.e. watch for +> abuse of power by SOC people with the ability to view +> traffic captured by sniffers. Just forget about those methods. The only right way for such things is to monitor execve(2) syscall on kernel level. Look at: http://garage.freebsd.pl/lrexec.README http://garage.freebsd.pl/lrexec.tbz -- Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 305 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040109/140b3a8e/attachment.bin