SUMMARY: tracking software?

From: Bo Slaughter (Bo.Slaughter@eng.clemson.edu)
Date: Thu Oct 29 1992 - 22:51:51 CST

First, the original question: 

---

We've been having some trouble lately with "crackers" getting onto our
system and playing around.  The last few, however, have been getting smart
and dialing in through our modem lines, which makes it very difficult
to tell if it is the legimate user or not. (Or a legimate user who is
being mischevious.)

The problem is this:  when I suspect an account of being "stolen", there
is no way for me to "watch" the user and see what they are up to.

Is there any software out there (freeware or not) that allows the recording
of every command that is typed in by a certain user?  It is also important
to note that once they dial in, they can rlogin into almost any of our other
machines... so a networked solution would be preferable.

---

Some of the answers I got were pretty interesting.  Some people suggested
going to C2 security.  We have thought about that, but we hadn't really
wanted to go that far (or that much trouble!)... it's still under 
consideration though.

Some people suggested rewriting /bin/login or /bin/csh to keep track of
what's going on.  We've been wanting to get SunOS Source code for some time
now, but with the state's budget problems...

A few people suggested using "script".  Now that was an interesting notion.
I ftp'ed the source to crack down and re-wrote it so that it doesn't give
the "file is typescript" message.  The only problem is that if I make it
a login shell, it won't read and execute .login.  Any ideas?  I'm still working
on it.

A lot of people suggested using taps and program on the modem lines to keep
track of things.   That's really too limited for what I want.  I want something
to do internet rlogin/telnet connections also.

Let's see.  Some people suggested using "cops".  I have used it, but it is
still almost impossible to make students/professors use non-crackable
passwords.

A couple of people suggested using "trace -p" on the pid for the login
shell.  That was interesting, but it gave much more information than was
needed. (Plus script has the advantage over this in that script also 
logs the output they get.)

In summary while I've still got C2 on the back burner of my brain,
I'm working on getting "script" to function in a workable manner to
track what is going on.

- Bo

Thanks to everyone who responded (too many to make a list!).

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:51 CDT