Re: Unix command-line _arguement_ signatures

Justin J. Lister (ruf@SPi)
Tue, 13 Sep 1994 10:56:58 +1000 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Justin J. Lister: "Re: Unix command-line _arguments_ signatures"
Previous message: tlunt@ARPA.MIL: "Re: Unix command-line _arguement_ signatures"
In reply to: tlunt@ARPA.MIL: "Re: Unix command-line _arguement_ signatures"
Next in thread: Justin J. Lister: "Re: Unix command-line _arguments_ signatures"

"tlunt@ARPA.MIL wrote:"

[.. deleted ..]

>About ten years ago, I experimented by building a special purpose shell to
>collect this information.  It was useful for collecting data for experiments.
>But in practice it is not very good, since it is so easily bypassed by those
>not wishing to be audited (they just start up a different shell).

The original post noted this, offering the "sec" shell as a means
to protecting the users account. That is if they changed there shell
the security was upto them.

If deciding to try shell logging, one would expect to incorporate
shell logging into each system shell (actually interface a shell
logging module to each) then state that using non-system shells is a
violation of system policy. The you have the task of detecting policy
violations. This can be quite a difficult task, due to have to cope
with both terminal & network logins (controlling terminal).  A naive
approach would be some basic monitoring the foreground process group
(TPGID), we would expect the value of TPGID to be that of the "login
shell" pid (most of the time).  If we detect the value of TPGID
alternating between values that isn't the PID of the login shell we
know that the user is using another shell.

Additionally, you have to be aware of the terminal mode (ie. cooked,
raw, and cbreak).

But as stated, the lower you audit the harder it is to bypass. Using
Suns Solaris 2.3 auditing system, Basic Security Module (BSM) it is
easier to get the shell comand and arguments than trying to monitor
the shell. However, it is still possible for a clever system
penetrator to avoid process auditing.

>Teresa Lunt

[ original article deleted ]
-- 
+---------------------+--------------------------------------------------+
|  ____       ___     | Justin Lister                 ruf@cs.uow.edu.au  |
| |    \\   /\ __\    |     Center for Computer Security Research        |
| | |) / \_/ / |_     | Dept. Computer Science      voice: 61-42-835-114 |
| |  _ \\   /| _/     | University of Wollongong      fax: 61-42-832-807 |
| |_/ \/ \_/ |_| (tm) |     Computer Security a utopian dream...         |
|                     |       Disclaimer: dreaming is at own risk        |
+---------------------+--------------------------------------------------+

Next message: Justin J. Lister: "Re: Unix command-line _arguments_ signatures"
Previous message: tlunt@ARPA.MIL: "Re: Unix command-line _arguement_ signatures"
In reply to: tlunt@ARPA.MIL: "Re: Unix command-line _arguement_ signatures"
Next in thread: Justin J. Lister: "Re: Unix command-line _arguments_ signatures"