HPE Community
Operating System - HP-UX
1823130 Members
3367 Online
109646 Solutions
New Discussion юеВ

Re: Capture telnet session

 
SOLVED
Go to solution
Chetan_5
Frequent Advisor

тАО09-30-2005 06:01 AM

тАО09-30-2005 06:01 AM

Capture telnet session

We have a requirement to capure user telnet sessions for SOX remediation. Now the easiest way to do this is to invoke script from a users profile. But it is not secure as the user has write access to the scriptlog file which can be easily modified.

Is there any 3rd party tool out there that can do this?
0 Kudos
8 REPLIES 8
Pete Randall
Outstanding Contributor

тАО09-30-2005 06:10 AM

тАО09-30-2005 06:10 AM

Re: Capture telnet session

If you make their profile invoke a script owned by root that they have execute permission on, that script will be able to write to a log file that is owned by root and they have no access to. That's the way I would try to handle it.


Pete

Pete
0 Kudos
Mel Burslan
Honored Contributor

тАО09-30-2005 07:36 AM

тАО09-30-2005 07:36 AM

Solution

Re: Capture telnet session

if your user's do not have su to root capability, Pete's method is perfectly safe as long as you modified the permissions of this logfile and the user's profile properly to prevent the user's themselves from modifying it.

If this is not an option, i.e., users need to modify their profiles or execute "su -" commands, then powerbroker is to the rescue. Be warned that it is not free or not even cheap for most people, but if you are concerned about SOX, your company is not a mom and pop shop and can afford it. Go to,

http://www.symark.com

for more information. You can set up a remote log server where your users are not authorized to login. This is how you keep pristine logs of user activity. It captures on keystroke basis for finer granularity.

Also you can do this locally via sudo, but if the users gain access to "su -" command, there is no longer any traceability at that moment.

Hope this helps
________________________________
UNIX because I majored in cryptology...
0 Kudos
Raj D.
Honored Contributor

тАО09-30-2005 08:35 AM

тАО09-30-2005 08:35 AM

Re: Capture telnet session

Hi Chetan,

Here is some thing that can help:

i) set .sh_history
ii) put script command in .profile to save all output.

vi .profile
script $LOGNAME.log


iii) Check skymark.com , for skymark tools for further as per the above link

Cheers,

Raj.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Arunvijai_4
Honored Contributor

тАО09-30-2005 05:39 PM

тАО09-30-2005 05:39 PM

Re: Capture telnet session

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=211879
http://groups.google.com/group/comp.os.linux.misc/browse_thread/thread/276d0ae9aea16e8b/f71f8585a6ad8f62%23f71f8585a6ad8f62?sa=X&oi=groupsr&start=2&num=3


It may help..

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Muthukumar_5
Honored Contributor

тАО09-30-2005 06:40 PM

тАО09-30-2005 06:40 PM

Re: Capture telnet session

Nop. If you do scripting in /etc/profile then normal user can not change it.

You can capture telnet sessions simply as,

-- /etc/profile --
ps | grep -q 'telnet'
if [ $? -eq 0 ]
then
script -a /tmp/$USER_telnet.log
fi

It will append telnet related login information to the user log file.

You can as well as turn on history as,

-- /etc/profile --
ps | grep -q 'telnet'
if [ $? -eq 0 ]
then
set -o vi
export HISTFILE=/tmp/$USER_telnet.his
export HISTSIZE=2000
echo "telnet login @ $(date)" >> $HISTFILE
fi

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Muthukumar_5
Honored Contributor

тАО09-30-2005 06:41 PM

тАО09-30-2005 06:41 PM

Re: Capture telnet session

You can use putty tool to capture all logins related with telnet based. However, this is client based tool.

You can also use tee command something like,

# telnet | tee

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Chetan_5
Frequent Advisor

тАО10-03-2005 02:39 AM

тАО10-03-2005 02:39 AM

Re: Capture telnet session

Thanks to all for their responses. I knew that none of the native UNIX utilities would do the job. With script, the user always will have write access to the file and we do not want that situation.

As per Ben's recommendation, I will check out skymark's powerbroker product.
0 Kudos
Chetan_5
Frequent Advisor

тАО10-03-2005 02:40 AM

тАО10-03-2005 02:40 AM

Re: Capture telnet session

Sorry for the faux pas; skymark was Mel's recommendation.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.