Date: Wed, 24 Jan 1996 15:24:47 -0700 (MST) From: Barnacle Wes <wes@intele.net> To: msmith@atrad.adelaide.edu.au (Michael Smith) Cc: freebsd-security@FreeBSD.org Subject: Re: Logging user activity Message-ID: <199601242224.PAA12565@intele.net> In-Reply-To: <199601240359.OAA25573@genesis.atrad.adelaide.edu.au> from "Michael Smith" at Jan 24, 96 02:29:58 pm
next in thread | previous in thread | raw e-mail | index | archive | help
William McVey stands accused of saying:
% Accounting (historically) has some serious problems as far as
% security auditing goes. Typically the logfile contains the basename
Mike Smith observed by way of reply:
> Agreed. These are good techniques for catching inexperienced hackers;
> good ones will spot them straight off. Short of a direct tty log of
> everything you don't have much hope there.
On the other hand, since you do have the system sources, you can go
hack the syscalls for exec, open, etc. to log whatever you want.
Unless you think the user is dumping statically-linked executables
on your system, it would probably be enough to just create a new
libc.so that does syslog calls before each syscall.
Use the source, Luke!
--
Wes Peters | Yes I am a pirate, two hundred years too late
Softweyr | The cannons don't thunder, there's nothing to plunder
Consulting | I'm an over forty victim of fate...
wes@intele.net | Jimmy Buffet
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601242224.PAA12565>