The system I manage is for most users fairly secure as it logs them into an in house application and then logs them straight out when they exit that application. However for the few users I do have that need other access I adopt the following -
(1) For some users certain commands are made unavailable by aliasing the command to an echo - ie rm.
(2) Make user profiles read only and monitor for anyone that changes this ie they move a writable profile in its place.
(3) Have a regular script running that checks for use of certain commands (rm chmod mv etc) every 5 minutes in the users history files. I keep a cross reference file of "reported" instances and then email to my exchange mail so that I can take action immediatly.
(4) If you can remove command prompt access completely and put every task they need to do in scripts built into a secure menu ensuring that you build traps into the menu to prevent breakout.
(5) Consider using sudo if they need higher level access - Sudo can be configured to log actions.
(6) Make sure your directory permissions across the system only give them access to what they need.
(7) Make sure that anyone with access to your backup system (omniback etc) can only recover files they own - Make sure your omniback backups are configured as "private" rather than public.
Above all be vigilent at all times - I have had staff who have attempted to exploit loop holes just to see if they can (virus writer syndrome I guess)
Hats ? We don't need no stinkin' hats !!
