in reply to Re: wrapping any given shell
in thread wrapping any given shell

Can you do anything w/ ksh and .sh_history/command history? That's already built-in (guess you'd have to work to make it un-editable) so you'd just have to limit their access to /bin/ksh. Though ... can they change the .sh_history path? Are these potentially malevolent users or just a tracking business?

a

Replies are listed 'Best First'.
Re: Re: Re: wrapping any given shell
by Fastolfe (Vicar) on Feb 07, 2001 at 21:31 UTC
    My impression is that if you want to track your users' movements, the users you generally want to track are capable of circumventing simple measures like this. Note that the shell only records what is typed into it. I can use special file-system flags to make it so that the history file can't be deleted, and can only be appended, but you're right: there's nothing to stop them from running their own shell, or writing a simple shell in Perl, completely circumventing this. The only way to "reliably" do this is to do it closer to the OS-level, which is why most Unix variants support process accounting here.

    The original poster should note that what he's trying to do is hardly novel or original, and most any major company's data center will have security policies requiring such accounting, and have generally thought of ways to do it securely. I'd avoid rolling my own, as this is definitely an area that you want to build upon the work of others, as there are a million little things you have to account for or else your installation is vulnerable to being circumvented.

[reply]
      >>The original poster should note that what he's trying to do is hardly novel or original, and most any major company's data center will have >>security policies requiring such accounting, and have generally thought of ways to do it securely. I'd avoid rolling my own, as this is definitely >>an area that you want to build upon the work of others, as there are a million little things you have to account for or else your installation is >>vulnerable to being circumvented.

      actually, I'm writing this FOR major company's data centers, precisely because no such tool exists to do this in a foolproof manner.

      It may be because attempting it in userspace is just not possible...

[reply]
        It may be because attempting it in userspace is just not possible

        Unfortunately, I think you're going to find that this is the case. I can probably ask our SA group to see how they're going about it, but I know it at least involves standard Unix process accounting. Where that file is stored (like on a network filesystem or what) and how it is protected I don't know.

[reply]

In Section Seekers of Perl Wisdom