Solved

Logging a pts/X session {where X is an Integer}

Posted on 2004-09-23
12
725 Views
Last Modified: 2013-12-27
I have an account on 1and1.com - They give me an SSH account access.  When I log-in, I get this message:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Warning!    

For security reasons all ssh and telnet sessions are logged, and may
be monitored. By logging in you give consent to these conditions.

Shell access is provided for web development and not for running
irc-bots, arbitrary tcp/udp servers (e.g. gameservers) or cracking toolkits.
Disregard leads to suspension of your contract.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Well, I simply want to know if anyone has an idea of what they are using to monitor/log my session.  I'd like to implement this on my own server...I've asked a similiar question here:

http://www.experts-exchange.com/Operating_Systems/Solaris/Q_21022769.html

But didn't really get a 'solid' response...so I thought I'd pick at the experts' brains once more.

So, I'm simply looking for a way to log - in relative detail, an ssh login session (pts/X).

Thanks_ramble
0
Comment
Question by:ramble
12 Comments
 
LVL 40

Assisted Solution

by:jlevie
jlevie earned 100 total points
Comment Utility
That statement doesn't really say anything about what level of logging they are doing. It could be as simple as the standard collection of login/logout data. Or as full as the capture of all commands passed to the server in a session. The later, as far as I know would require modified sshd or telnetd servers.

If the server is a Solaris box they might be running full auditing, which will log what applications get run, but not all of the shell commands.
0
 

Author Comment

by:ramble
Comment Utility
I just discovered that "screen" is in it's path:

u55373445:~ > which screen
/usr/bin/screen

So, I'm trying to figure out if it can be used...but, your right, it's very ambiguous, and there really isn't any way to find out what methods they are employing.

There not running solaris:
Linux infong224 2.4.27-grsec-20040809a #1 SMP Mon Aug 9 10:21:08 CEST 2004 i686 unknown

But, screen is available for both platforms...don't think it will do what I want it to do...but I'm still working with it.

0
 

Author Comment

by:ramble
Comment Utility
Well, screen seems to be installed by default with Red Hat, so I don't think it means anything for it to be found in the path...
0
 
LVL 48

Expert Comment

by:Tintin
Comment Utility
The warning message is pretty much a standard type of message to cover legalities.

I suspect that their logging is no more than your average Linux system.  Most of the info they would look at would be in the various log files under /var/log

0
 

Author Comment

by:ramble
Comment Utility
Hey...I've been working more with screen...it seems to be a pretty robust logging solution...check it out:
http://archives.neohapsis.com/archives/vuln-dev/2000-q2/0159.html

I've got many of the features to work, trying to figure out how to set the permissions, and create a robust .screenrc file.

Doesn't seem to work in all shells...? Which could be a big problem.
0
 
LVL 38

Accepted Solution

by:
yuzh earned 200 total points
Comment Utility
You can download screen binary package from:
         http://sunfreeware.com/    
you need to remember to install required packages.

I have tested to log all the use command including screen out put with screen, it works.
but I would not use it to monitor the users. (tons of reason).

I suggest you to use Solaris BSM, please have a look at the following pages for more
details:

http://www.boran.com/security/sp/Solaris_bsm.html
http://www.securityfocus.com/infocus/1362
http://docs.sun.com     -- Search for BSM
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Assisted Solution

by:dlinvill
dlinvill earned 100 total points
Comment Utility
A tool installed by default on almost any UNIX server is script.  It can be setup to spawn the users shell and log everything that is displayed to the terminal in a file.  I doubt this is what the warning is hinting at but it may be what you are looking for on your own server.

Try a 'man script'

0
 

Author Comment

by:ramble
Comment Utility
script seems to be an extemely easy way to do it...

How would I hide it from the user?  Not in a "complicated" fashion...just in general.  Script starts up like this:

Script started, file is script_testing
Script done, file is script_testing

Also, it seems to change the default prompt for the login file.  I'd like it to keep the same "characteristics" of the prompt.

example: (normal login)

Research SVR>

But, putting: exec script /logs/session_logs/script_log
in the .login file makes the prompt simply display:

#
#echo $SHELL
/bin/sh

0
 

Author Comment

by:ramble
Comment Utility
Here's an "actual" example of the 'alias' command being overwritten.  So, I'm not clear on how I can retain the same environment BEFORE the script spawned a new shell.

Research SVR> alias
h       history
set3151 setenv TERM ibm3151
set803  setenv TERM tvi800
setpc   setenv TERM ibmpc
setsvt  setenv TERM svt1220
settvi  setenv TERM adds25
setuvt  setenv TERM svt1220
setvt100        setenv TERM vt100
setwyse setenv TERM wyse50
sus     exec bash
Research SVR> script
Script started, file is typescript
$ alias
autoload='typeset -fu'
command='command '
functions='typeset -f'
history='fc -l'
integer='typeset -i'
local=typeset
nohup='nohup '
r='fc -e -'
stop='kill -STOP'
suspend='kill -STOP $$'
$
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 100 total points
Comment Utility
the ways to go are script or screen
sript is a simple thing and can simply detected with ps. There is no problem with the prompt, you description sounds like you have a broken SHELL environmen variable.
> How would I hide it from the user?
you can't (except with a modified /bin/ps and no acces to /proc)

screen is hard to detect, at least if you have no root access.
0
 

Author Comment

by:ramble
Comment Utility
ahoffman:

Yes, that was what I was guessing with the environment variable.  

I tried screen, and it works fine...in root.  

But when I'm in the SHELL environment of the users that I want to log...I get:

[screen is terminating]

And it immediately exits...No other error messages, or reasons on why.

Another user I get the error message:

Cannot open your terminal '/dev/pts/5' - please check.

I'm guessing that this is env related as well.  Any suggestions?


0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
Unix is secure, in most things ;-)
obviously you need to be root then to use screen to monitor other user's tty.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now