From owner-freebsd-security  Thu Aug 27 21:57:02 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA21902
          for freebsd-security-outgoing; Thu, 27 Aug 1998 21:57:02 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA21895;
          Thu, 27 Aug 1998 21:56:53 -0700 (PDT)
          (envelope-from jkb@best.com)
Received: from localhost (jkb@localhost)
	by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id VAA28120;
	Thu, 27 Aug 1998 21:55:59 -0700 (PDT)
X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs
Date: Thu, 27 Aug 1998 21:55:59 -0700 (PDT)
From: "Jan B. Koum " <jkb@best.com>
X-Sender: jkb@shell6.ba.best.com
To: Gary Palmer <gpalmer@FreeBSD.ORG>
cc: Brian Behlendorf <brian@hyperreal.org>,
        Wilson MacGyver <macgyver@cylatech.com>, security@FreeBSD.ORG
Subject: Shell history (Was: Re: post breakin log)
In-Reply-To: <1652.904271528@gjp.erols.com>
Message-ID: <Pine.BSF.4.02A.9808272151030.27634-100000@shell6.ba.best.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


	This is assuming intruder will not try to change shell, turn off
history within the shell and is in general pretty clueless when it comes
to shell history. :)
	A friend of mine came up with an idea to create a shell which
would log everything a user does.. not via shell history mechanism, but
rather ala watch(8). Everything user types would go into some files
somewhere. Then again, nothing ever came out of it.

-- Yan

www.best.com/~jkb/         Unix users of the world unite:
www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com
"Turn up the lights, I don't want to go home in the dark."

On Thu, 27 Aug 1998, Gary Palmer wrote:

>Brian Behlendorf wrote in message ID
><19980827182323.6798.qmail@hyperreal.org>:
>> Is there a fool-proof way to get user histories like this?  I got one once
>> only because the cracker was lame enough to forget to delete his
>> .bash_history file.    Presuming root isn't compromised of course...
>
>Force the history files to be created with uappend flag set and run with a non 
>zero security level.
>
>Gary
>--
>Gary Palmer                                          FreeBSD Core Team Member
>FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message