Date: Mon, 17 Jan 2000 23:20:22 -0500 From: Keith Stevenson <k.stevenson@louisville.edu> To: Omachonu Ogali <oogali@intranova.net> Cc: freebsd-security@freebsd.org Subject: Re: Parent Logging Patch for sh(1) Message-ID: <20000117232022.A87011@osaka.louisville.edu> In-Reply-To: <Pine.BSF.4.10.10001172101390.96286-100000@hydrant.intranova.net> References: <Pine.BSF.4.21.0001171536040.68131-100000@sapphire.looksharp.net> <Pine.BSF.4.10.10001172101390.96286-100000@hydrant.intranova.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 17, 2000 at 09:04:07PM -0500, Omachonu Ogali wrote: > http://tribune.intranova.net/archives/sh-log+access.patch adds uid and > username logging along with a deny list (/etc/sh.deny). > > And in reference to Keith Stevenson's 'So?', if you can determine the > point of entry in an intrusion you can backtrack to where it originated, > the main reason I created that patch was to allow a system administrator > to backtrack in the case of an intrusion. I think that we may have miscommunicated. I have no issues with your ppid logging patch. I thought that you were complaining that we should not have a /bin/sh. In general, I consider more logging to be better. However in the case of a root compromise all local logs are useless since they may have been altered by the attacker. (After all, they can't _all_ be script kidz.) Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000117232022.A87011>