Solved: Re: Capture telnet session

Chetan_5 · ‎09-30-2005

We have a requirement to capure user telnet sessions for SOX remediation. Now the easiest way to do this is to invoke script from a users profile. But it is not secure as the user has write access to the scriptlog file which can be easily modified.

Is there any 3rd party tool out there that can do this?

Pete Randall · ‎09-30-2005

If you make their profile invoke a script owned by root that they have execute permission on, that script will be able to write to a log file that is owned by root and they have no access to. That's the way I would try to handle it.

Pete

Pete

Mel Burslan · ‎09-30-2005

if your user's do not have su to root capability, Pete's method is perfectly safe as long as you modified the permissions of this logfile and the user's profile properly to prevent the user's themselves from modifying it.

If this is not an option, i.e., users need to modify their profiles or execute "su -" commands, then powerbroker is to the rescue. Be warned that it is not free or not even cheap for most people, but if you are concerned about SOX, your company is not a mom and pop shop and can afford it. Go to,

http://www.symark.com

for more information. You can set up a remote log server where your users are not authorized to login. This is how you keep pristine logs of user activity. It captures on keystroke basis for finer granularity.

Also you can do this locally via sudo, but if the users gain access to "su -" command, there is no longer any traceability at that moment.

Hope this helps

________________________________
UNIX because I majored in cryptology...

Raj D. · ‎09-30-2005

Hi Chetan,

Here is some thing that can help:

i) set .sh_history
ii) put script command in .profile to save all output.

vi .profile
script $LOGNAME.log

iii) Check skymark.com , for skymark tools for further as per the above link

Cheers,

Raj.

" If u think u can , If u think u cannot , - You are always Right . "

Arunvijai_4 · ‎09-30-2005

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=211879
http://groups.google.com/group/comp.os.linux.misc/browse_thread/thread/276d0ae9aea16e8b/f71f8585a6ad8f62%23f71f8585a6ad8f62?sa=X&oi=groupsr&start=2&num=3

It may help..

-Arun

"A ship in the harbor is safe, but that is not what ships are built for"

Muthukumar_5 · ‎09-30-2005

Nop. If you do scripting in /etc/profile then normal user can not change it.

You can capture telnet sessions simply as,

-- /etc/profile --
ps | grep -q 'telnet'
if [ $? -eq 0 ]
then
script -a /tmp/$USER_telnet.log
fi

It will append telnet related login information to the user log file.

You can as well as turn on history as,

-- /etc/profile --
ps | grep -q 'telnet'
if [ $? -eq 0 ]
then
set -o vi
export HISTFILE=/tmp/$USER_telnet.his
export HISTSIZE=2000
echo "telnet login @ $(date)" >> $HISTFILE
fi

hth.

Easy to suggest when don't know about the problem!

Muthukumar_5 · ‎09-30-2005

You can use putty tool to capture all logins related with telnet based. However, this is client based tool.

You can also use tee command something like,

# telnet | tee

hth.

Easy to suggest when don't know about the problem!

Chetan_5 · ‎10-03-2005

Thanks to all for their responses. I knew that none of the native UNIX utilities would do the job. With script, the user always will have write access to the file and we do not want that situation.

As per Ben's recommendation, I will check out skymark's powerbroker product.

Chetan_5 · ‎10-03-2005

Sorry for the faux pas; skymark was Mel's recommendation.