G'day guys!

My boy has access to my linux-server, and I feel
a bit uncomfortable with the idea of him downloading
& installing stuff from friends/the net, but don't want to
completely restrict his access either.

I'd love to get a notification for files he creates/installs.
Which would be the recommended solution/way to do
that?

Cheers,
Tink

I would say just don't give him root/su access, if he needs to install something, he can talk to you first, then you can install it for him. It sounds like a pain, but since you have a user, you are now a sysadmin

If you are really paranoid, you could make a script that mails you the output of ls -R every night to see what files that he has installed in his home dir.

Heh ... guess I *am* really paranoid!
He's been using some tcl based MSN client the other day... and I also wouldn't want him
to install network sniffers, for instance

One can never be too paranoid! You will get a message in your syslog if he sets up a sniffer. It will look something like: kernel: eth0: Promiscuous mode enabled.

He has to be root in order to install a sniffer too!

Good luck!

True
Tinkster: if you have regular users they won't be able to do much at all . They can't install programs, they can't change settings if you are paraonid you can even chroot him in seperate space and then you're safe. At most he'll be able to run a irc bot, and find some script kiddies to exploit your server , but that will just make you learn more about security.

Kahuna, Noerr ...

One can download, compile and run stuff from ones home
without being root? Well, I just tried it with my normal user
account, and could ... :)

sniffit for instance will check whether you are root or not
and refuse to work if you aren't, but I tend to believe that
I could change that behaviour using emacs ....

whether the system will stop me from using the interface
directly without being root I don't know, tcpdump for instance
says tcpdump: socket: operation not permitted... :)

I don't have any other "hacker tools" at hand but am eager
to learn what is possible and what's not.

Btw Kahuna, I've been an admin for ages, both at work and
home, just never was worried about the users activities :} since
I knew they weren't technically fit/interested ;)

Cheers,
Tink

To deny users executing stuff in their ~/ you could move /home to a separate partition and then mount it -o noexec,nodev,nosuid :-]

If you want to be alerted you could run any script that does md5sum checking and listing of (new) files, or you could easily config an integrity checker like Aide to just check the users ~/.

IMHO chrooting would be way too much hassle for jailing human users. You'll have to provide a copy of unix tools (base tools could be replaced with busybox), but then there's /dev and /etc entries as well, and maybe you need to mount /proc for proc tools to work (ps and the likes).

Tcpdump, sniffers usually make use of libpcap, which needs some LINUX_CAPABILITIES (caps intended) to sniff the wire. On a regular system those capabilities are reserved for, and can only be used/inherited by apps started as root, same goes for like binding to ports < 1024 and network mgmnt like setting the promiscuous flag on interfaces. That's why those apps complain about uid or euid being nonzero.

You can run tripwire to monitor specific directories and run reports of new/changed files.

Tinkster, Yes a user can install programs from his/her home directory, but the system permissions will prevent him/her from really screwing things up (Provided that your OS is all patched up).

You could not edit the code of sniffit with Emacs to sniff the network as non-root. It's not the code that allows a person to do this, but whether they have the permission to set the network device (etho, ppp0, whatever) to promiscous mode.

To set a net device to PROMISC requires root level access.

Thanks spawn, geoff, kahuna!

I'll grab tripwire.

Will following the Linux-Security-Howto tighten
my server suffciently for "internal attacks"? :}

I'm not too concerned about external attacks,
hosts.allow basically just allows the LAN to use any
server-services ... and iptables is a good enough
firewall for everyday use on a dial-up ;)

Cheers,
Tink

true that in order to do whatever with interfaces (ethx) you need to be root so sniffit and other won't work. But there are bunch of local exploits in forms of scripts so anyone can try them.

tripwire is probably the best call, since it will efficiently monitor all fs changes
Otherwise system can be exploitable from outside if on internet 24/7, despite iptables

Tripwire is the best if it is installed right after the OS was installed without any network connectivity yet.

although, keep in mind that once tripwire detects something bad, it's too late for ya, since your system is probably compromised
ie tripwire = monitoring <> prevention or protection

I GRSecurity or LIDS should be a good addon if you're looking for some more protection/control. Have a look at the features.

iptables has matches on uid guid. play with that.