My son is 9 years old. His name is Gabriel Rodger Edward Paulo, but we call him exclusively by his initials: GREP. This already should make you suspicious.
As many youngsters of that age he is is completely addicted to computers, internet and iPod. His favorite game at this moment is Minecraft. (No idea what that is). Since he was spending almost every minute not sleeping behind the computer my wife and I long time ago decided to limit that use somewhat.
On my home server, which also acts as internet gateway I created some scripts which added or removed rules from iptables
, which were in turn called from cron
. His active time windows became 08:00-10:00, 12:00-17:00 and 20:00-21:00. At 21:00, a local cron job in his computer would shut down his computer in addition.
This worked fine for some time and got him away from the computer. But then he used his iPod to access internet. Which I disabled for internet access as well. Then he sneakily borrowed my wife's laptop on which he also holds a user account in case they are travelling. Which I disabled as well through adding more rules in iptables
Then he discovered that Minecraft could be downloaded and installed and played off-line. As usual in the race between security enforcers and security breachers it became time for the next step.
I created a flag file in my son's home directory on the server: /home/glinkels/.xallow
. The same script which modifies the internet access now also writes a '0' or '1' in this file, according to whether or not X is allowed to run.
On his own computer, I created a link to this file on the server. Next I installed a script (running under root credentials) which examined this file, and killed and disallowed X at the off times, and started X at the allowed time windows.
This worked for a few days, and then I began noticing that he was able to use his computer during the disallowed time windows as well. At first I tought something had gone sour with one of the scripts I wrote. Or a cron job. Or incrorrect reading of the flag file. None of this all. At a certain moment I discovered that the contents of the flag file had magically changed back to '1'. So I concentrated on anything that would access that file. I checked all open tty's on all computers I have (which are quite some, including in my office which is VPN connected to my home office) for sessions I left open running a test script. None of that all. Last week I created an audit rule on this file, but I didn't have the time yet to look into it.
Until this morning I woke up at 06:30 by the sound coming from his computer. He was watching youtube videos, but at the same time, this time was outside his allowed time window, which started only at 08:00.
So I opened the /var/log/auth.log at my home server. Not the times are in UTC and we are UTC-4. A UTC time of 10:30 is 06:30 local time. This is the contents of the file around 06:30:
Apr 28 10:23:48 homeserv sshd: Accepted publickey for jlinkels from 192.168.110.130 port 47106 ssh2
Apr 28 10:23:48 homeserv sshd: pam_unix(sshd:session): session opened for user jlinkels by (uid=0)
Apr 28 10:24:00 homeserv sudo: jlinkels : TTY=pts/0 ; PWD=/home/jlinkels ; USER=root ; COMMAND=/bin/sh /root/ip_rule_grep.sh allow
Apr 28 10:24:01 homeserv CRON: pam_unix(cron:session): session opened for user root by (uid=0)
Apr 28 10:24:04 homeserv sshd: Received disconnect from 192.168.110.130: 11: disconnected by user
192.168.110.130 is my
computer in the home office.
After severe cross-examination of my son, including using interrogation techniques as deprivation, exposure to hot and cold, bright lights, loud music and waterboarding, he finally admitted his crime after I threatened him that I would make hime wear a bra and post his picture on facebook.
Whenever his computer was blocked, he would sneak into my home office, and open a virtual console. My computer is always on (super low power Atom nettop) and not locked by a screen saver(*). The he SSH-ed into the home server. I am using public/private keys without a pass phrase. Hey, I thought I was at least safe in my own home. Then he would search the history for the famous command: sudo bash /root/ip_rule_grep.sh allow
and executed it.
So never assume you are safe from security breachers in your own home.
(*) I stopped locking my screen when the screen saver kicked in when our eldest son left the house. We were afraid that he could browse to our confidential files including certain pictures with embarrassing content.
PS. My wife says she can read from the smile on my face and the twinkle in my eyes that I am very proud that the little lad knows how to use Linux. This is completely untrue of course.