Session recording

Kenny Lussier klussier at gmail.com
Mon Mar 31 15:09:54 EDT 2008


On Mon, Mar 31, 2008 at 2:43 PM, Ben Scott <dragonhawk at gmail.com> wrote:
> On Mon, Mar 31, 2008 at 1:16 PM, Tom Buskey <tom at buskey.name> wrote:
>  > I concluded it was lots of work to provide security that was not auditable.
>
>   Trying to achive a secure audit trail using the usual Unix shells is
>  (IMO) not a good idea.  The shell isn't designed for it, and there's
>  too many ways around it.  Implement security in the kernel, or in
>  processes outside user control.  Again, process accounting, SELinux,
>  etc.

Well, there are certain things that you can implement using the shell
that are a piece of the puzzle. For example, bash-paranoia gives you a
time-stamped accounting of every command that a user executed, who
they executed it as, on what pty, and the ip address that they were
logged in from. This is all valuable information. Unfortunately, is
isn't 100% reliable. As you pointed out, there are a lot of ways
around these things, such as executing a script that executes a bunch
of commands. The only thing that will be logged is the execution of
the script, not commands that the script calls. This is where process
accounting comes in. I'm not sure about SELinux yet. I am still
reading up on all of the nifty things that it provides :-)

>  > I think some kind of chroot jail would be more secure.
>
>   "Security is a process, not a product."  It sounds like the primary
>  goal in this discussion is not access control (although that always
>  plays a part), but audit/accounting.  They don't want to keep people
>  from doing stuff, just have a record of what they did.  A chroot
>  wouldn't provide a record of what was done in the jail, and the users
>  likely need access to the sensitive stuff anyway (otherwise they
>  wouldn't care so much about the audit trail).

This is exactly the case. We have already limited what people can do
on these systems using standard permissions, sudo, etc. What we need
now is to log everything that is done so that when the systems are
audited, we can provide the details of what has been done on the
system. It's not about limiting functions, it's about audit and
accountability.

Thanks,
Kenny


More information about the gnhlug-discuss mailing list