LinuxSA Mailing list archives

  From: Alan Kennington <akenning@dog.topology.org>
  To  : David Lloyd <lloy0076@rebel.net.au>
  Date: Wed, 11 Apr 2001 04:25:44 +0930

Re: command logging

On Mon, Apr 09, 2001 at 11:27:37PM +0930, David Lloyd wrote:
> 
> Alan!
> 
> > Alternatively, if the user has their own computer, and you have your
> > computer that you want logged, just run tcpdump-to-a-file on the
> > whole interaction.
> > Then run ethereal over the saved file.
> 
> Wouldn't this dump file become tediously to dangerously, well, large
> though?
> 
> DSL

David,

I'm glad you asked that.
No, it don't get very voluminous.
I've logged all of my traffic on my network for the last
28 months, and it all fits onto a couple of CDs.
The tcpdump program only saves the first 68 bytes of each
packet (I think that includes the ether header, but not the time-stamp).

And I currently serve up about 1200 MBytes/month on my link.

If you're just doing a short-term check on what particular users
are doing, the bandwidth is not that great.
You can always just prune it down to the packet to their
telnet or rlogin link.

But then again, if like me, you've ripped out all (well nearly all)
of the rlogin and telnet in your network and you use triple-DES
at all times around your house (I've got 6 PCs in the living room!),
then you're in big trouble.

I bet it's possible to rig up ssh to intercept the decrypted
data stream though. I'm really not motivated to work out
how to do that right now. But sshd does send unencrypted stuff to
a login of some sort.

Given the size of modern disk drives, there's just no problem
at all. I think that the encryption issue is more important
than the volume issue.

If the original query related to an organisation where some users
are not 100% trusted, then probably you could rig things up so
that they have to do the suspect activity while logged in
to another machine with rlogin/rsh etc.

On the other hand again (the third or fourth hand - this must be
a four handed shiva, I think), it shouldn't be too hard to 
fiddle with the login source and modify the inittab file to use
the fiddled version. 
I remember once doing something like this with the "getty" programs
to do something dodgy for a particular client.

Hey -- why not just replace mingetty with some sort of
interposed compiled C program which just does a "tee" function
on the traffic that goes through it.
I.e. it just logs it.

Hmmmm. This sounds like a hacker hack.
Too bad I'm not younger. That kind of surreptitious thing
doesn't thrill me at all.

Yup. That's it.
Just modify a "getty" or create a tee+getty wrapper sort of thing.

Cheers,
Alan Kennington.

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject