First, the original question:
---We've been having some trouble lately with "crackers" getting onto our system and playing around. The last few, however, have been getting smart and dialing in through our modem lines, which makes it very difficult to tell if it is the legimate user or not. (Or a legimate user who is being mischevious.)
The problem is this: when I suspect an account of being "stolen", there is no way for me to "watch" the user and see what they are up to.
Is there any software out there (freeware or not) that allows the recording of every command that is typed in by a certain user? It is also important to note that once they dial in, they can rlogin into almost any of our other machines... so a networked solution would be preferable.
---
Some of the answers I got were pretty interesting. Some people suggested going to C2 security. We have thought about that, but we hadn't really wanted to go that far (or that much trouble!)... it's still under consideration though.
Some people suggested rewriting /bin/login or /bin/csh to keep track of what's going on. We've been wanting to get SunOS Source code for some time now, but with the state's budget problems...
A few people suggested using "script". Now that was an interesting notion. I ftp'ed the source to crack down and re-wrote it so that it doesn't give the "file is typescript" message. The only problem is that if I make it a login shell, it won't read and execute .login. Any ideas? I'm still working on it.
A lot of people suggested using taps and program on the modem lines to keep track of things. That's really too limited for what I want. I want something to do internet rlogin/telnet connections also.
Let's see. Some people suggested using "cops". I have used it, but it is still almost impossible to make students/professors use non-crackable passwords.
A couple of people suggested using "trace -p" on the pid for the login shell. That was interesting, but it gave much more information than was needed. (Plus script has the advantage over this in that script also logs the output they get.)
In summary while I've still got C2 on the back burner of my brain, I'm working on getting "script" to function in a workable manner to track what is going on.
- Bo
Thanks to everyone who responded (too many to make a list!).
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:51 CDT