Session recording

[Paul Lussier]

"Kenny Lussier" <klussier at gmail.com> writes:

> The point isn't to limit what they can do on the system (that is a
> completely different issue). The problem is to account for what they
> do, and to go to the logs and say that User X issued command Y at n
> time. The truth is, we don't care what shell they do it in. The
> decision to limit people to a single shell was a development decision,
> not a security decision.

Right, but you've ultimately gone to that end where you have, in fact,
limited people to a single shell.  And, if that's the case, why not
also go further and restrict them to not being able to edit the shell
config files.  It's still a 'developmental' decision in how you carry
out your security policy.

If you, for "developmental" reasons, have limited them to a single
shell, and, your policy calls for controlling the PS* prompts and
other environmental variables in order to carry out that policy, it's
a simple (if not required) extension to restrict them from altering
those environmental conditions (upto and including global warming ;)

If you don't, and they do, how can you prove they did when they say
they didn't? After all they were able to when you allowed them the
possibility without restricting them in the first place!

Got it?
-- 
Seeya,
Paul