LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 01-09-2013, 03:52 AM   #1
goggoula
LQ Newbie
 
Registered: Jan 2013
Posts: 2

Rep: Reputation: Disabled
How to monitor other terminals?


Hi,

I have a server in my lab were many users are connected remotely with SSH. Some of them might be entering commands that may harm the system.

Is there a way I can monitor/log these other terminals so as to be able to have a look to the commands entered?

I have tried the (cat < /dev/pts/X) option but it doesn't really help as the terminal I am trying to monitor is blocked...

Case is that I cannot easily install apps on this machine and I cannot request from other users to start a script or something like that.

Can I do it in command line or via a script file in my terminal?

Thanks!
 
Old 01-09-2013, 10:07 AM   #2
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,396
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
If security is properly configured on the Linux host, you should never be able to accomplish this. On the other hand, properly configured security should also prevent users from harming the system.

Even with significantly relaxed security, I'm not sure it can be done without cooperation. What can probably be done to accomplish it would be to make the users' default shell start in a screen session that is multiuser. This would require modifying the users' entries in /etc/passwd, and would still not prevent anyone from escaping to a non-shareable shell.

--- rod.
 
Old 01-09-2013, 10:30 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,703
Blog Entries: 54

Rep: Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964
Quote:
Originally Posted by goggoula View Post
Case is that I cannot easily install apps on this machine
Why not?

*Searching LQ for "I want to log everything" type of threads will show suggestions ranging from bad kludges like using 'script' or replacing tools with a script to better ones like using the audit service (logs execve's for example) and rootsh (compile to log to syslog by default) as default user shell. Use in conjunction with remote syslog if necessary.
 
Old 01-10-2013, 08:25 AM   #4
goggoula
LQ Newbie
 
Registered: Jan 2013
Posts: 2

Original Poster
Rep: Reputation: Disabled
Hi guys,

Thanks for the reply!

If I want to use the screen option enabled for all sessions of the user, what exactly do I have to enter in /etc/passwd?

Or if script is a more useful option, can I have it enable in the user's environment at all times, so as I don;t have to enter it each time I login?

Thanks
 
Old 01-10-2013, 09:16 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,703
Blog Entries: 54

Rep: Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964
Feel free to explore it all you want but screen, script or any other kludge running inside, or saving log entries to, the users own environment or allowing a user any degree of control will be subject to tampering and is therefore not part of a reliable and trustworthy audit trail.
 
Old 01-10-2013, 09:46 AM   #6
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,396
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
I don't have the exact details, but you should be able to specify 'screen' (use absolute filespec) in the shell parameter in /etc/passwd for each user that needs to have this setup. It may also require some argument(s), and this might make it tricky, or it might be solved by having a 'personal' .screenrc in each user's home directory. In addition, you will probably need to make screen multiuser by enabling that in the global screenrc file, and by making it setuid root (chmod +s /usr/bin/screen).
As unSpawn says, this lock will only keep out honest people. In an instructional environment, I can see it being very useful as a communications tool, as the instructor can see and/or interact directly with student shell sessions.

--- rod.
 
Old 01-10-2013, 10:19 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,703
Blog Entries: 54

Rep: Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964
Quote:
Originally Posted by theNbomr View Post
As unSpawn says, this lock will only keep out honest people.
I didn't say that. BTW using 'screen' the way you suggested would introduce another setuid root binary. That IMHO is neither a security best practice or a necessity.
 
Old 01-10-2013, 10:31 AM   #8
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,396
Blog Entries: 2

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Quote:
Originally Posted by unSpawn View Post
I didn't say that. BTW using 'screen' the way you suggested would introduce another setuid root binary. That IMHO is neither a security best practice or a necessity.
Sorry, then. I'm not sure what you meant by 'will be subject to tampering and is therefore not part of a reliable and trustworthy audit trail.' I took it to mean that the people who would be ostensibly caught doing things they shouldn't would find it easy to get around the monitoring process (and they likely would find it easy).

I'm not sure how to make the multiuser aspect of screen work without making it setuid root. If it can be done, I would be happy to hear how, as I agree that it is a sub-optimal solution.

--- rod.
 
Old 01-10-2013, 11:24 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,703
Blog Entries: 54

Rep: Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964Reputation: 2964
Quote:
Originally Posted by theNbomr View Post
Sorry, then. I'm not sure what you meant by 'will be subject to tampering and is therefore not part of a reliable and trustworthy audit trail.' I took it to mean that the people who would be ostensibly caught doing things they shouldn't would find it easy to get around the monitoring process (and they likely would find it easy).
Ah, I see. No need to say sorry, really. I meant that as an argument against using any tool that allows or requires a user to interact with it. The type of logging the OP wants should be initiated by the system and be in place before a user logs in (hence the audit service), not allow a user to mess with it (logging shell sending output to syslog) and syslog to a remote syslog host for centralized collection and reporting and to address some attacks.


Quote:
Originally Posted by theNbomr View Post
I'm not sure how to make the multiuser aspect of screen work without making it setuid root.
AFAIK it can't be done. More importantly it IMHO just is not the right tool for the job.
*For the sake of being complete, before Rootsh existed there already were patches for BaSH (see the Honeypot project old web site). Since I come across these "I want to log everything" type of questions quite often I made a web log post a while ago. See Bash logging patches if the topic interests you but beware it contains at least twenty links ;-p
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
USB problem on linux terminals vie NComputing X300 terminals Aleks` Linux - General 1 12-04-2008 06:39 PM
How to get the virtual terminals onto my monitor? NRGizeR Linux - General 5 03-22-2005 05:22 AM
Terminals - spying on local terminals with ssh BeatRyder Linux - Software 5 10-21-2004 02:47 AM
different terminals infamous41md Linux - Newbie 3 06-04-2003 04:16 PM
Terminals? everyscience Linux - General 1 07-03-2001 02:18 PM


All times are GMT -5. The time now is 02:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration