[clug] bash history > syslog working :)

steve jenkin sjenkin at canb.auug.org.au
Tue Aug 5 12:51:50 GMT 2008 

Daniel Pittman wrote on 5/8/08 10:27 AM:

> "Ron Trujillo" <ron.trujillo at critrade.com> writes:

> Yes: is it your intention that this information is captured for
> security, auditing or some other purpose where it actually /matters/
> that the user can prevent it being logged?
> 
> If that is the case then you need to think again: this is absolutely not
> suitable.  (For example, the user could remove the settings from bash,
> which would have the same effect without changing shells.)
> 
> If you /really/ need to see each command run consider using some sort of
> appropriate tool.  Otherwise, simply accept that many commands will
> never be visible to your remote logging.
> 
> Regards,
>         Daniel

What will absolutely work is a modified terminal server...
Everything in & out can be captured & timestamped, checksummed and
securely logged off-net.

Can't be tampered with - out of band (not on the system under control).

i.e. nobody can log directly into one of these controlled hosts, only
via your controlled access device, which I wouldn't give an visible IP
number... [there are some nice security appliances that scan packets
this way. They have 2 ethernet ports and even figure out for themselves
what is the 'hot side' and which isn't.]

Obvious this scheme only works with text-mode connections.
Remote Desktops & X-11 protocol - no idea.

You may replace the serial connection with an IP protocol, but same
thinking applies.

For telnet, you could even create something like a transparent web-proxy.

SSH can't be captured this way (man-in-the-middle) unless you move the
host certificates to the n or tell people 'just get over it' when they
see the warning message.

What's your budget??
Is Build or Buy mandated?
=> these questions will drive your solution.

Cyclades terminal servers would be an absolutely perfect platform for
this. [perhaps they do it already]
Can't hurt to ask them.

The price of flash memory is low - logging to a local flash card would
be nice.

Members of this list include some very astute security mavens.
They will shoot me down if I'm wrong.

HTH
sj

-- 
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list