From owner-freebsd-security  Mon Jan 17 20:20:31 2000
Delivered-To: freebsd-security@freebsd.org
Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36])
	by hub.freebsd.org (Postfix) with ESMTP id 543A215150
	for <freebsd-security@freebsd.org>; Mon, 17 Jan 2000 20:20:28 -0800 (PST)
	(envelope-from k.stevenson@louisville.edu)
Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114])
	by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP
	id 5526C24D67; Mon, 17 Jan 2000 23:20:24 -0500 (EST)
Received: by osaka.louisville.edu (Postfix, from userid 15)
	id B938F18605; Mon, 17 Jan 2000 23:20:22 -0500 (EST)
Date: Mon, 17 Jan 2000 23:20:22 -0500
From: Keith Stevenson <k.stevenson@louisville.edu>
To: Omachonu Ogali <oogali@intranova.net>
Cc: freebsd-security@freebsd.org
Subject: Re: Parent Logging Patch for sh(1)
Message-ID: <20000117232022.A87011@osaka.louisville.edu>
References: <Pine.BSF.4.21.0001171536040.68131-100000@sapphire.looksharp.net> <Pine.BSF.4.10.10001172101390.96286-100000@hydrant.intranova.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre3i
In-Reply-To: <Pine.BSF.4.10.10001172101390.96286-100000@hydrant.intranova.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Jan 17, 2000 at 09:04:07PM -0500, Omachonu Ogali wrote:
> http://tribune.intranova.net/archives/sh-log+access.patch adds uid and
> username logging along with a deny list (/etc/sh.deny).
> 
> And in reference to Keith Stevenson's 'So?', if you can determine the
> point of entry in an intrusion you can backtrack to where it originated,
> the main reason I created that patch was to allow a system administrator
> to backtrack in the case of an intrusion.

I think that we may have miscommunicated.  I have no issues with your
ppid logging patch.  I thought that you were complaining that we should not
have a /bin/sh.  In general, I consider more logging to be better.  However
in the case of a root compromise all local logs are useless since they may
have been altered by the attacker.  (After all, they can't _all_ be script
kidz.)

Regards,
--Keith Stevenson--

-- 
Keith Stevenson
System Programmer - Data Center Services - University of Louisville
k.stevenson@louisville.edu
PGP key fingerprint =  4B 29 A8 95 A8 82 EA A2  29 CE 68 DE FC EE B6 A0


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message