Date: Thu, 27 Aug 1998 22:08:36 -0700 (PDT) From: "Jan B. Koum " <jkb@best.com> To: Joe Gleason <clash@tasam.com> Cc: Wilson MacGyver <macgyver@cylatech.com>, security@FreeBSD.ORG, Brian Behlendorf <brian@hyperreal.org> Subject: Shell history (Was: Re: post breakin log) Message-ID: <Pine.BSF.4.02A.9808272157050.27634-100000@shell6.ba.best.com> In-Reply-To: <00bb01bdd233$76594990$f10408d1@bug.tasam.com>
next in thread | previous in thread | raw e-mail | index | archive | help
What if the user would be to switch shell or to install their own?
I do not think one should depend on shell history to log all what
user does. Best way to implement something like watch(8) to check
the ttys you want or to automatically start when someone attaches
to a tty. Again, this is also flawed.. what if someone simply
continues to use root shell they got through a popper overflow?
No tty, no entry in wtmp... have fun getting their command
history. But wait... tcpdump. Using something like NFR to capture
the session for you should work unless something like ssh is used.
Ideas? Opinions? Flames? How would YOU monitor what your users are
doing if you had to?
-- Yan
www.best.com/~jkb/ Unix users of the world unite:
www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com
"Turn up the lights, I don't want to go home in the dark."
On Thu, 27 Aug 1998, Joe Gleason wrote:
>You could always make a custom bash that sends each command to syslog as it
>is done. ;-)
>
>Then you could have your syslog log it to a remote system.
>
>Joe Gleason
>Tasam
>
>
>>At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote:
>>>the log from history follows.
>>
>>Is there a fool-proof way to get user histories like this? I got one once
>>only because the cracker was lame enough to forget to delete his
>>.bash_history file. Presuming root isn't compromised of course...
>>
>> Brian
>>
>>
>>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
>>"Common sense is the collection of prejudices | brian@apache.org
>>acquired by the age of eighteen." - Einstein | brian@hyperreal.org
>>
>>To Unsubscribe: send mail to majordomo@FreeBSD.org
>>with "unsubscribe freebsd-security" in the body of the message
>>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.02A.9808272157050.27634-100000>