Logging of client commands, possible?
Dan Kaminsky
dan at doxpara.com
Wed Mar 13 02:49:42 EST 2002
> Problems like someone uploading a shell script called 'whiterabit.sh'
> and then running it? And at the end of the script it removes itself?
>
> Using System Auditing Reports is the only sane way of doing this. As
> it was pointed out in secureshell@
I'm not sure it's sane, but it's definitely the "correct" method. Correct
doesn't mean usable, though.
Enforcing accountability among trusted peers is often even more important
than maintaining security -- when something breaks, first you want to know
who broke it, then you want to know what they did to cause the break.
The problem with security-complete reports is they're pretty damn
unparseable -- this file was opened, that data was sent, and it all adds up.
For sheer usefulness, it can be nice just to see an interactive history.
That being said, I wouldn't underestimate the strength of TTY logs.
Attackers really rarely check to see if their bytestreams are being
monitored at the endpoint -- note the logs of Mitnick's hack from a few
years back.
I consider this request somewhat orthogonal to the security aspects of
SSH -- it's a trait of the shell environment that the admin would like SSH
to securely provide, rather than a trait of the security SSH is applying to
the system.
--Dan
More information about the openssh-unix-dev
mailing list