From owner-freebsd-security  Thu Aug 27 22:09:37 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA23046
          for freebsd-security-outgoing; Thu, 27 Aug 1998 22:09:37 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA23041
          for <security@FreeBSD.ORG>; Thu, 27 Aug 1998 22:09:35 -0700 (PDT)
          (envelope-from jkb@best.com)
Received: from localhost (jkb@localhost)
	by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id WAA29901;
	Thu, 27 Aug 1998 22:08:37 -0700 (PDT)
X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs
Date: Thu, 27 Aug 1998 22:08:36 -0700 (PDT)
From: "Jan B. Koum " <jkb@best.com>
X-Sender: jkb@shell6.ba.best.com
To: Joe Gleason <clash@tasam.com>
cc: Wilson MacGyver <macgyver@cylatech.com>, security@FreeBSD.ORG,
        Brian Behlendorf <brian@hyperreal.org>
Subject: Shell history (Was: Re: post breakin log)
In-Reply-To: <00bb01bdd233$76594990$f10408d1@bug.tasam.com>
Message-ID: <Pine.BSF.4.02A.9808272157050.27634-100000@shell6.ba.best.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


	What if the user would be to switch shell or to install their own?

	I do not think one should depend on shell history to log all what
	user does. Best way to implement something like watch(8) to check
	the ttys you want or to automatically start when someone attaches
	to a tty. Again, this is also flawed.. what if someone simply
	continues to use root shell they got through a popper overflow?
	No tty, no entry in wtmp... have fun getting their command
	history. But wait... tcpdump. Using something like NFR to capture
	the session for you should work unless something like ssh is used.

	Ideas? Opinions? Flames? How would YOU monitor what your users are
	doing if you had to?

-- Yan

www.best.com/~jkb/         Unix users of the world unite:
www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com
"Turn up the lights, I don't want to go home in the dark."

On Thu, 27 Aug 1998, Joe Gleason wrote:

>You could always make a custom bash that sends each command to syslog as it
>is done. ;-)
>
>Then you could have your syslog log it to a remote system.
>
>Joe Gleason
>Tasam
>
>
>>At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote:
>>>the log from history follows.
>>
>>Is there a fool-proof way to get user histories like this?  I got one once
>>only because the cracker was lame enough to forget to delete his
>>.bash_history file.    Presuming root isn't compromised of course...
>>
>> Brian
>>
>>
>>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
>>"Common sense is the collection of prejudices  |     brian@apache.org
>>acquired by the age of eighteen." - Einstein   |  brian@hyperreal.org
>>
>>To Unsubscribe: send mail to majordomo@FreeBSD.org
>>with "unsubscribe freebsd-security" in the body of the message
>>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message