Date: Thu, 27 Aug 1998 19:47:59 -0500 From: "Matthew D. Fuller" <fullermd@futuresouth.com> To: Brian Behlendorf <brian@hyperreal.org> Cc: Wilson MacGyver <macgyver@cylatech.com>, security@FreeBSD.ORG Subject: Re: post breakin log Message-ID: <19980827194759.15155@futuresouth.com> In-Reply-To: <19980827182323.6798.qmail@hyperreal.org>; from Brian Behlendorf on Thu, Aug 27, 1998 at 11:16:01AM -0700 References: <199808270538.BAA01341@armitage.cylatech.com> <19980827182323.6798.qmail@hyperreal.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 27, 1998 at 11:16:01AM -0700, Brian Behlendorf woke me up to tell me: > At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote: > >the log from history follows. > > Is there a fool-proof way to get user histories like this? I got one once > only because the cracker was lame enough to forget to delete his > .bash_history file. Presuming root isn't compromised of course... Command accounting's a pretty good way. And if you raise the secure level and set the acct file append_only (sappend flag?), it's pretty foolproof. Very spammable if they catch up, but fairly foolproof. *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* | FreeBSD; the way computers were meant to be | * "The only reason I'm burning my candle at both ends, is * | that I haven't figured out how to light the middle yet."| * fullermd@futuresouth.com :-} MAtthew Fuller * | http://keystone.westminster.edu/~fullermd | *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980827194759.15155>