Sridhar R wrote on Sun, Mar 14, 2004 at 11:24:42PM -0800:
,----
| > they make considerable changes and have this changelog mailed to all
| > the admins whenever it changes.
|
| Is there any tool to automate this? Or can I just edit some conf
| files so that all root activities are logged?
`----
cvs watch can be one such crude tool. Put the changelog in the CVS and
commit it. :) Better, have a commitinfo script in CVS that mails out
the changes neatly to maybe, a mailing list.
As far as the 'activities of root' is concerned, you certainy can log
the commands. But it requires a lot of backtracing, etc.,. from your
side. Plain english changelog would be easier for everyone.
,----
| What is more important is security. I need to _trust_ my friends
| in their activities (but generally it's difficult to trust even the
| computer). But afterall, we did't had any issues regarding security.
| What we are expected to do is do proper maintainence of the system.
`----
Any of the standard security HOWTOs / sites must be able to explain
the problems in having shell access. its not just over-utilisation of
resources, but also local exploits that might exist with your
software. Especially given a college campus, I know how 'vetti' some
student-5krip+-kiddies would be ;)
,----
| The user accounts are used for their mail accounts which are accessed
| thourgh HTTP (webclient).
`----
if this HTTP access itself is not over ssl, I'm sure there is someone
out there who knows all the user's passwds and reading "important"
mails... :)
,----
| What happens if one guy replaced the `login` binary with a patched
| one, that would log the passwords in some secret location where the
| original attacker has read access(possibly his home directory). This
| may happen if one of other careless adminstrator give a pause without
| locking the terminal. Or what will happen if the attacker creates a
| backdoor. This is where trust has to be kept on the OTHER
| adminstrators.
`----
well... he would need write permissions to /sbin/login isn't it?. Of
course, there are these semi-clever folks who exploit the "innocent"
by leaving their terminal running a program which looks like a login
screen, etc.,. use 'autolog' in such cases :)
-Suraj
--
,-----------------[http://www.symonds.net/~suraj/]---o
| The United States shreds 7,000 tons of worn-out currency each year
| .
`------------------------------[suraj@xxxxxxxxxxx]---o