Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-04-2002, 04:17 PM
|
#1
|
Moderator
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
|
monitoring file system
G'day guys!
My boy has access to my linux-server, and I feel
a bit uncomfortable with the idea of him downloading
& installing stuff from friends/the net, but don't want to
completely restrict his access either.
I'd love to get a notification for files he creates/installs.
Which would be the recommended solution/way to do
that?
Cheers,
Tink
|
|
|
06-04-2002, 09:48 PM
|
#2
|
Member
Registered: Jun 2002
Location: Grand Rapids, MI
Distribution: Redhat, Slackware
Posts: 78
Rep:
|
I would say just don't give him root/su access, if he needs to install something, he can talk to you first, then you can install it for him. It sounds like a pain, but since you have a user, you are now a sysadmin
If you are really paranoid, you could make a script that mails you the output of ls -R every night to see what files that he has installed in his home dir.
|
|
|
06-05-2002, 05:34 AM
|
#3
|
Moderator
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Original Poster
|
Heh ... guess I *am* really paranoid!
He's been using some tcl based MSN client the other day... and I also wouldn't want him
to install network sniffers, for instance
|
|
|
06-05-2002, 08:17 AM
|
#4
|
Member
Registered: Jun 2002
Location: Grand Rapids, MI
Distribution: Redhat, Slackware
Posts: 78
Rep:
|
One can never be too paranoid! You will get a message in your syslog if he sets up a sniffer. It will look something like: kernel: eth0: Promiscuous mode enabled.
He has to be root in order to install a sniffer too!
Good luck!
|
|
|
06-05-2002, 05:29 PM
|
#5
|
Member
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696
Rep:
|
True
Tinkster: if you have regular users they won't be able to do much at all . They can't install programs, they can't change settings if you are paraonid you can even chroot him in seperate space and then you're safe. At most he'll be able to run a irc bot, and find some script kiddies to exploit your server , but that will just make you learn more about security.
|
|
|
06-05-2002, 07:23 PM
|
#6
|
Moderator
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Original Poster
|
Kahuna, Noerr ...
One can download, compile and run stuff from ones home
without being root? Well, I just tried it with my normal user
account, and could ... :)
sniffit for instance will check whether you are root or not
and refuse to work if you aren't, but I tend to believe that
I could change that behaviour using emacs ....
whether the system will stop me from using the interface
directly without being root I don't know, tcpdump for instance
says tcpdump: socket: operation not permitted... :)
I don't have any other "hacker tools" at hand but am eager
to learn what is possible and what's not.
Btw Kahuna, I've been an admin for ages, both at work and
home, just never was worried about the users activities :} since
I knew they weren't technically fit/interested ;)
Cheers,
Tink
|
|
|
06-05-2002, 08:04 PM
|
#7
|
Moderator
Registered: May 2001
Posts: 29,415
|
To deny users executing stuff in their ~/ you could move /home to a separate partition and then mount it -o noexec,nodev,nosuid :-]
If you want to be alerted you could run any script that does md5sum checking and listing of (new) files, or you could easily config an integrity checker like Aide to just check the users ~/.
IMHO chrooting would be way too much hassle for jailing human users. You'll have to provide a copy of unix tools (base tools could be replaced with busybox), but then there's /dev and /etc entries as well, and maybe you need to mount /proc for proc tools to work (ps and the likes).
Tcpdump, sniffers usually make use of libpcap, which needs some LINUX_CAPABILITIES (caps intended) to sniff the wire. On a regular system those capabilities are reserved for, and can only be used/inherited by apps started as root, same goes for like binding to ports < 1024 and network mgmnt like setting the promiscuous flag on interfaces. That's why those apps complain about uid or euid being nonzero.
|
|
|
06-05-2002, 08:10 PM
|
#8
|
Member
Registered: May 2002
Distribution: RH 7.3 - YDL 2.3
Posts: 63
Rep:
|
You can run tripwire to monitor specific directories and run reports of new/changed files.
|
|
|
06-05-2002, 08:26 PM
|
#9
|
Member
Registered: Jun 2002
Location: Grand Rapids, MI
Distribution: Redhat, Slackware
Posts: 78
Rep:
|
Tinkster, Yes a user can install programs from his/her home directory, but the system permissions will prevent him/her from really screwing things up (Provided that your OS is all patched up).
You could not edit the code of sniffit with Emacs to sniff the network as non-root. It's not the code that allows a person to do this, but whether they have the permission to set the network device (etho, ppp0, whatever) to promiscous mode.
To set a net device to PROMISC requires root level access.
|
|
|
06-05-2002, 09:01 PM
|
#10
|
Moderator
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Original Poster
|
Thanks spawn, geoff, kahuna!
I'll grab tripwire.
Will following the Linux-Security-Howto tighten
my server suffciently for "internal attacks"? :}
I'm not too concerned about external attacks,
hosts.allow basically just allows the LAN to use any
server-services ... and iptables is a good enough
firewall for everyday use on a dial-up ;)
Cheers,
Tink
|
|
|
06-06-2002, 07:06 AM
|
#11
|
Member
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696
Rep:
|
true that in order to do whatever with interfaces (ethx) you need to be root so sniffit and other won't work. But there are bunch of local exploits in forms of scripts so anyone can try them.
tripwire is probably the best call, since it will efficiently monitor all fs changes
Otherwise system can be exploitable from outside if on internet 24/7, despite iptables
|
|
|
06-06-2002, 11:32 AM
|
#12
|
LQ Addict
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704
Rep:
|
Tripwire is the best if it is installed right after the OS was installed without any network connectivity yet.
|
|
|
06-06-2002, 06:01 PM
|
#13
|
Member
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696
Rep:
|
although, keep in mind that once tripwire detects something bad, it's too late for ya, since your system is probably compromised
ie tripwire = monitoring <> prevention or protection
|
|
|
06-08-2002, 07:45 AM
|
#14
|
Moderator
Registered: May 2001
Posts: 29,415
|
I GRSecurity or LIDS should be a good addon if you're looking for some more protection/control. Have a look at the features.
|
|
|
06-09-2002, 05:25 AM
|
#15
|
LQ Newbie
Registered: Jun 2002
Location: On the moon
Distribution: slack
Posts: 5
Rep:
|
iptables has matches on uid guid. play with that.
|
|
|
All times are GMT -5. The time now is 12:53 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|