LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-04-2002, 04:17 PM   #1
Tinkster
Moderator
 
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928
monitoring file system


G'day guys!

My boy has access to my linux-server, and I feel
a bit uncomfortable with the idea of him downloading
& installing stuff from friends/the net, but don't want to
completely restrict his access either.

I'd love to get a notification for files he creates/installs.
Which would be the recommended solution/way to do
that?

Cheers,
Tink
 
Old 06-04-2002, 09:48 PM   #2
kahuna
Member
 
Registered: Jun 2002
Location: Grand Rapids, MI
Distribution: Redhat, Slackware
Posts: 78

Rep: Reputation: 15
I would say just don't give him root/su access, if he needs to install something, he can talk to you first, then you can install it for him. It sounds like a pain, but since you have a user, you are now a sysadmin

If you are really paranoid, you could make a script that mails you the output of ls -R every night to see what files that he has installed in his home dir.
 
Old 06-05-2002, 05:34 AM   #3
Tinkster
Moderator
 
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067

Original Poster
Blog Entries: 11

Rep: Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928
Heh ... guess I *am* really paranoid!
He's been using some tcl based MSN client the other day... and I also wouldn't want him
to install network sniffers, for instance
 
Old 06-05-2002, 08:17 AM   #4
kahuna
Member
 
Registered: Jun 2002
Location: Grand Rapids, MI
Distribution: Redhat, Slackware
Posts: 78

Rep: Reputation: 15
One can never be too paranoid! You will get a message in your syslog if he sets up a sniffer. It will look something like: kernel: eth0: Promiscuous mode enabled.

He has to be root in order to install a sniffer too!

Good luck!
 
Old 06-05-2002, 05:29 PM   #5
Noerr
Member
 
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696

Rep: Reputation: 30
True
Tinkster: if you have regular users they won't be able to do much at all . They can't install programs, they can't change settings if you are paraonid you can even chroot him in seperate space and then you're safe. At most he'll be able to run a irc bot, and find some script kiddies to exploit your server , but that will just make you learn more about security.
 
Old 06-05-2002, 07:23 PM   #6
Tinkster
Moderator
 
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067

Original Poster
Blog Entries: 11

Rep: Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928
Kahuna, Noerr ...

One can download, compile and run stuff from ones home
without being root? Well, I just tried it with my normal user
account, and could ... :)

sniffit for instance will check whether you are root or not
and refuse to work if you aren't, but I tend to believe that
I could change that behaviour using emacs ....

whether the system will stop me from using the interface
directly without being root I don't know, tcpdump for instance
says tcpdump: socket: operation not permitted... :)

I don't have any other "hacker tools" at hand but am eager
to learn what is possible and what's not.

Btw Kahuna, I've been an admin for ages, both at work and
home, just never was worried about the users activities :} since
I knew they weren't technically fit/interested ;)

Cheers,
Tink
 
Old 06-05-2002, 08:04 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
To deny users executing stuff in their ~/ you could move /home to a separate partition and then mount it -o noexec,nodev,nosuid :-]

If you want to be alerted you could run any script that does md5sum checking and listing of (new) files, or you could easily config an integrity checker like Aide to just check the users ~/.

IMHO chrooting would be way too much hassle for jailing human users. You'll have to provide a copy of unix tools (base tools could be replaced with busybox), but then there's /dev and /etc entries as well, and maybe you need to mount /proc for proc tools to work (ps and the likes).

Tcpdump, sniffers usually make use of libpcap, which needs some LINUX_CAPABILITIES (caps intended) to sniff the wire. On a regular system those capabilities are reserved for, and can only be used/inherited by apps started as root, same goes for like binding to ports < 1024 and network mgmnt like setting the promiscuous flag on interfaces. That's why those apps complain about uid or euid being nonzero.
 
Old 06-05-2002, 08:10 PM   #8
geoffm33
Member
 
Registered: May 2002
Distribution: RH 7.3 - YDL 2.3
Posts: 63

Rep: Reputation: 15
You can run tripwire to monitor specific directories and run reports of new/changed files.
 
Old 06-05-2002, 08:26 PM   #9
kahuna
Member
 
Registered: Jun 2002
Location: Grand Rapids, MI
Distribution: Redhat, Slackware
Posts: 78

Rep: Reputation: 15
Tinkster, Yes a user can install programs from his/her home directory, but the system permissions will prevent him/her from really screwing things up (Provided that your OS is all patched up).

You could not edit the code of sniffit with Emacs to sniff the network as non-root. It's not the code that allows a person to do this, but whether they have the permission to set the network device (etho, ppp0, whatever) to promiscous mode.

To set a net device to PROMISC requires root level access.
 
Old 06-05-2002, 09:01 PM   #10
Tinkster
Moderator
 
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067

Original Poster
Blog Entries: 11

Rep: Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928
Thanks spawn, geoff, kahuna!

I'll grab tripwire.

Will following the Linux-Security-Howto tighten
my server suffciently for "internal attacks"? :}

I'm not too concerned about external attacks,
hosts.allow basically just allows the LAN to use any
server-services ... and iptables is a good enough
firewall for everyday use on a dial-up ;)

Cheers,
Tink
 
Old 06-06-2002, 07:06 AM   #11
Noerr
Member
 
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696

Rep: Reputation: 30
true that in order to do whatever with interfaces (ethx) you need to be root so sniffit and other won't work. But there are bunch of local exploits in forms of scripts so anyone can try them.

tripwire is probably the best call, since it will efficiently monitor all fs changes
Otherwise system can be exploitable from outside if on internet 24/7, despite iptables
 
Old 06-06-2002, 11:32 AM   #12
neo77777
LQ Addict
 
Registered: Dec 2001
Location: Brooklyn, NY
Distribution: *NIX
Posts: 3,704

Rep: Reputation: 56
Tripwire is the best if it is installed right after the OS was installed without any network connectivity yet.
 
Old 06-06-2002, 06:01 PM   #13
Noerr
Member
 
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696

Rep: Reputation: 30
although, keep in mind that once tripwire detects something bad, it's too late for ya, since your system is probably compromised
ie tripwire = monitoring <> prevention or protection
 
Old 06-08-2002, 07:45 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I GRSecurity or LIDS should be a good addon if you're looking for some more protection/control. Have a look at the features.
 
Old 06-09-2002, 05:25 AM   #15
slack
LQ Newbie
 
Registered: Jun 2002
Location: On the moon
Distribution: slack
Posts: 5

Rep: Reputation: 0
iptables has matches on uid guid. play with that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Monitoring System Xerop Linux - Software 1 11-01-2005 11:34 AM
System Monitoring makko Debian 1 06-27-2005 08:35 AM
[Q] System Monitoring... TheEdge Linux - Software 1 03-25-2005 07:24 PM
System Monitoring FrostBot Linux - Software 2 08-22-2004 12:00 AM
Monitoring System Usage dunmarie Linux - Newbie 2 11-11-2003 01:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration