Im gearing up to teach a physical class on linux. Its got some weird requirements and this is out of my expertise. Mostly on the seeing what they do.
The first one im flexible with how they remote into it. can be ssh, vnc, etc. Physical is not a option because i dont that many machines that they can play freely on, nor the peripherals to supply the machine.
Do you need to see it real-time, or can you rely on bash_history or similar?
If you need real time, make them use telnet instead of ssh and use wireshark, tcpdump, etc.
This is difficult.
If you need to see realtime, this is actually a problem that my company is trying to solve. There are some commercial solutions for this, but it’s not what you’d call “affordable”
Closer to real time the better. I would like to see what they are typing so i can have them run root commands without them just thrashing the system. Goal it to be quick to restore
give them a chroot / jail on a ZFS volume and snapshot it every X minutes?
If the goal is “make sure they don’t trash the box” or “be able to recover it easy” then
. It may not be the course material but it is still valuable lessons… in what should be a safe, rebuildable environment.So it becomes a case of either recovery or preventing the entire box being trashed. And restoring their environment from a snapshot.
I’d abandon the monitoring being your primary defence, and just chroot/jail them on a ZFS volume you can take snaps of
In freenas, spinning up a jail running a command line unix variant is a 30 second exercise…
Yeah, okay. Easiest way would be to wrap their shell in tmux and you can just attach a local shell. This should be doable with a bashrc configuration.
The other option would be to write software that MITM’s the ssh session and basically allows a read-only monitor of the packet flow.
I think i can make screen do what i want here and could possibly even name the sessions
This would do it for tmux:
if [[ -n "$PS1" ]] && [[ -z "$TMUX" ]] && [[ -n "$SSH_CONNECTION" ]]; then
tmux attach-session -t ssh_tmux || tmux new-session -s ssh_tmux
fi
Will give this a go and see how it handles it
If you want logs, this plugin might help:
Dont really care about the logs. If it happens it happens. Is always bash history helping me out
You could use an SSH honeypot as well.
neat
ummm
send me my commission check via certified mail.
https://www.tecmint.com/how-to-monitor-user-activity-with-psacct-or-acct-tools/
Why not give them each their own VM so they wont interfere with the whole class learning if one of them messes up something?
We can’t trust the host system. We’ve chosen to MITM ssh, as a solution.
lack of resources. Might give it a go and see how my laptop handles it but im not sure
Like i said, chroot or jails - lower overhead, easy creation/destruction/rollback…
What sort of resources do you have? You could do containers.
Just spin up a Fedora container with an ssh server running. 
If you’re doing 6-8 people, most hardware should be able to handle 8 containers.
Yup, containers would work too.
Same concept, different name…
If you can spin up a new instance in 10 seconds (or less) then who cares if they break it?
And if you put them on a filesystem with regular COW snapshots, you can even roll back to say 15 minutes ago quite easily.
Go nuts! Break your instance! Experiment!
That’s how people learn