Logging of client commands, possible?
Ben Lindstrom
mouring at etoh.eviladmin.org
Tue Mar 12 02:17:50 EST 2002
On Tue, 12 Mar 2002, Dan Kaminsky wrote:
> > Problems like someone uploading a shell script called 'whiterabit.sh'
> > and then running it? And at the end of the script it removes itself?
> >
> > Using System Auditing Reports is the only sane way of doing this. As
> > it was pointed out in secureshell@
>
> I'm not sure it's sane, but it's definitely the "correct" method. Correct
> doesn't mean usable, though.
>
If your SAR is well written there is a 'command logging' mode. Which
logs all exec() that occur from a user. It is better for getting
an idea of what the user did before diving into the true SAR reports.
But on an average the only way to ensure security is via the detail
sar report. Otherwise you end up with the binary version of
'whiterabbit.sh'...
And of course if we are talking about root users here then they could
disable SAR as the first few things in the script/binary and renable
it before remove the binary.
- Ben
More information about the openssh-unix-dev
mailing list