Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!cs.utexas.edu!uunet!cucstud!tfd!tons61!harrys
From: harrys@tons61.UUCP (Harry Skelton)
Newsgroups: comp.unix.questions
Subject: Re: A way to monitor your files
Summary: There is a way....!
Keywords: security /unix /dev/kmem /dev/mem
Message-ID: <109@tons61.UUCP>
Date: 15 Sep 89 11:38:27 GMT
References: <547@chem.ucsd.EDU> <1140@virtech.UUCP> <29114@news.Think.COM> <1142@virtech.UUCP> <11022@smoke.BRL.MIL> <4113@buengc.BU.EDU> <11035@smoke.BRL.MIL> <4125@buengc.BU.EDU> <29348@news.Think.COM> <4298@ncar.ucar.edu>
Reply-To: harrys@tons61.UUCP (Harry Skelton)
Organization: U.S. Dept. of Transportation
Lines: 54


Some of the security features I have installed here can catch the unsupecting
snooper pretty quick.  Some of the tricks are as follows:

    Front ends to the following commands ( record directory information and
    other environment information for future parsing - also the arguments):

    ls cat sh less more pg and others....

    Monitor the processes with a deamon. 
    1) (if not SU) popen() a ps -ef and parse your directory information, 
    2) run a "strings" of memory (if possible) and grep our your 
       file/directory information, 
    3) Monitor lock files or use fuser(1?) on your files from time to time, 
    4) write a program to parse the proc tables and get the full arguments 
       to what people are running (knowledge of kernal helpful :-) ).
    5) Monitor changes in files (access information, modification times, etc)
       use stat() to check them and record your findings from time to time.
       Be sure you understand stat() as any novice can get confused by
       what happens to some of the time stamps after you have stat'ed a file.
    6) Read the user's $HOME/.history file (Korn Shell) if possible. But that
       will make you as bad as the other guy...
    
    Secure your files with 000 perms and change them back when you need to read
    the file or modify the file.  Although SU can read it, it's still a better
    way of security.

    If you have access to source, you can modify the shell by adding an
    audit trail fuction.  

There are other ways of doing it as well, I'm sure a lot of the readers have
known about these and many more tricks.  Some problems you will face are:

    pg < file
       - this will not show up in the 'ps -ef' listing.  Only the pg will show
    
    while read line
    do
	echo $line
    done < file
	- same here, you can bypass any security clicks in most programs
	  this way.  Good for install disks too when you don't know what's
	  out there and the install disk is missing 'ls' (Hi SCO!).  
    
    echo *
	- good for a munged directory listing - awk it for clean results
    

    I'm sure you can figure out more....


    BTW: anyone have source to 'vulture' or 'monitor' ?
-- 
Harry Skelton - harrys@tons61, guardian@ugh