Monitoring Users | Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)

I l @ ve RuBoard

There are many commands that can be used to monitor user connections. The simplest way to see who is logged onto the system is with the who command. The -u option will report all the users on the system and from where they are connected. The -w option of the who command will list all active users and their current process. This will give some idea of what the user is doing. You can tell who has been logged on recently by using the last command.

All the commands that monitor connections use the accounting log files, the "utmp" file, usually /var/adm/utmp or /etc/utmp , for current connection, and the "wtmp" file, usually /var/adm/wtmp or /etc/wtmp , for historic connections, to extract the information. These files are very important in reporting user activities accurately. It is common for hackers to modify these files to hide their activities. An extra layer of monitoring should be applied to these files.

Keystroke Monitoring

Keystroke monitoring is the process of capturing the user inputs, usually key presses and mouse clicks, to be able to record and reconstruct the activities of that user. Keystroke monitoring can be used by computer systems administrators, as a method of protecting computer systems from unauthorized access. Keystroke monitoring should be limited to only those whose activities are suspected of breaching security and in compliance with company policy. Sites not covered by U.S. law should consult their legal counsel before implementing keystroke monitoring.

Sites which will be using keystroke monitoring must give notice to those who would be subject to monitoring that, by using the system, they are expressly consenting to such monitoring. Since it is important that unauthorized intruders be given notice, some form of banner notice at the time of signing on to the system is required. Notification of only authorized users will not be sufficient to place outside hackers on notice.

The banner should give clear and unequivocal notice to intruders that by signing onto the system they are expressly consenting to such monitoring. The banner should also indicate to authorized users that they may be monitored during the effort to monitor the intruder even if they are not the subject of the investigation. We also understand that system administrators may in some cases monitor authorized users in the course of routine system maintenance. If this is the case, the banner should indicate this fact. An example of an appropriate banner might be as follows :

This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.

In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored.

Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials. ^[56]

^[56] "CERT Advisory CA-1992-19 Keystroke Logging Banner," 7 December 1992.

I l @ ve RuBoard