Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!uunet!cucstud!tfd!tons61!harrys From: harrys@tons61.UUCP (Harry Skelton) Newsgroups: comp.unix.wizards Subject: Re: Multiple Root ID's considered evil? Summary: audit trails Keywords: security,shells,audit Message-ID: <114@tons61.UUCP> Date: 22 Sep 89 11:56:05 GMT References: <4157@buengc.BU.EDU> <1723@convex.UUCP> <1989Sep13.082607.981@twwells.com> <1738@convex.UUCP> <3812@helios.ee.lbl.gov> <9560@cadnetix.COM> Reply-To: harrys@tons61.UUCP (Harry Skelton) Distribution: usa Organization: U.S. Dept. of Transportation Lines: 24 We have a problem of multible logins as root (actually su's since our login program prohibits direct root access) and I was thinking of adding something like the "session" program to the shell and have it save the session to the console hardcopy printer - regarless! I don't think the user will be able to get rid of the hard copy without notice, change tty's in midwork, nor get by the idea that a deamon opens a file for audit then unlink()'s it while still open to hide it (fsck will fix it later in lost+found) and/or the deamon can "add" an entry to the directory with the propper inode information...etc. Some users try to remove the .history file but fsck picks it up later and they don't know I keep a second copy elsewhere...:-) I feel if security (or system) is so bad you need direct root access, then have a lot of passwords involved! Perhaps put the "root terminal" on a 'dialup' device to force two passwords...etc. Perhaps the best method is a hard copy terminal in a locked box (keys accessable though..). -- Harry Skelton - Senior Systems Administrator - U.S. Dept. of Transportation ..!attctc!tons61!harrys ..!obdient!tons61!harrys ..!tfd!tons61!harrys [ Views expressed by Harry Skelton are not those of the US Gov. or CBSI ]