topic Capture telnet session in Operating System - HP-UX

Capture telnet session

Chetan_5 — Fri, 30 Sep 2005 13:01:01 GMT

We have a requirement to capure user telnet sessions for SOX remediation. Now the easiest way to do this is to invoke script from a users profile. But it is not secure as the user has write access to the scriptlog file which can be easily modified.

Is there any 3rd party tool out there that can do this?

Re: Capture telnet session

Pete Randall — Fri, 30 Sep 2005 13:10:12 GMT

If you make their profile invoke a script owned by root that they have execute permission on, that script will be able to write to a log file that is owned by root and they have no access to. That's the way I would try to handle it.

Pete

Re: Capture telnet session

Mel Burslan — Fri, 30 Sep 2005 14:36:54 GMT

if your user's do not have su to root capability, Pete's method is perfectly safe as long as you modified the permissions of this logfile and the user's profile properly to prevent the user's themselves from modifying it.

If this is not an option, i.e., users need to modify their profiles or execute "su -" commands, then powerbroker is to the rescue. Be warned that it is not free or not even cheap for most people, but if you are concerned about SOX, your company is not a mom and pop shop and can afford it. Go to,

http://www.symark.com

for more information. You can set up a remote log server where your users are not authorized to login. This is how you keep pristine logs of user activity. It captures on keystroke basis for finer granularity.

Also you can do this locally via sudo, but if the users gain access to "su -" command, there is no longer any traceability at that moment.

Hope this helps

Re: Capture telnet session

Raj D. — Fri, 30 Sep 2005 15:35:52 GMT

Hi Chetan,

Here is some thing that can help:

i) set .sh_history
ii) put script command in .profile to save all output.

vi .profile
script $LOGNAME.log

iii) Check skymark.com , for skymark tools for further as per the above link

Cheers,

Raj.

Re: Capture telnet session

Arunvijai_4 — Sat, 01 Oct 2005 00:39:28 GMT

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=211879
http://groups.google.com/group/comp.os.linux.misc/browse_thread/thread/276d0ae9aea16e8b/f71f8585a6ad8f62%23f71f8585a6ad8f62?sa=X&oi=groupsr&start=2&num=3

It may help..

-Arun

Re: Capture telnet session

Muthukumar_5 — Sat, 01 Oct 2005 01:40:05 GMT

Nop. If you do scripting in /etc/profile then normal user can not change it.

You can capture telnet sessions simply as,

-- /etc/profile --
ps | grep -q 'telnet'
if [ $? -eq 0 ]
then
script -a /tmp/$USER_telnet.log
fi

It will append telnet related login information to the user log file.

You can as well as turn on history as,

-- /etc/profile --
ps | grep -q 'telnet'
if [ $? -eq 0 ]
then
set -o vi
export HISTFILE=/tmp/$USER_telnet.his
export HISTSIZE=2000
echo "telnet login @ $(date)" >> $HISTFILE
fi

hth.

Re: Capture telnet session

Muthukumar_5 — Sat, 01 Oct 2005 01:41:30 GMT

You can use putty tool to capture all logins related with telnet based. However, this is client based tool.

You can also use tee command something like,

# telnet | tee

hth.

Re: Capture telnet session

Chetan_5 — Mon, 03 Oct 2005 09:39:24 GMT

Thanks to all for their responses. I knew that none of the native UNIX utilities would do the job. With script, the user always will have write access to the file and we do not want that situation.

As per Ben's recommendation, I will check out skymark's powerbroker product.

Re: Capture telnet session

Chetan_5 — Mon, 03 Oct 2005 09:40:54 GMT

Sorry for the faux pas; skymark was Mel's recommendation.