Date: Fri, 28 Aug 1998 01:15:46 -0400 From: "Joe Gleason" <clash@tasam.com> To: "Jan B. Koum " <jkb@best.com> Cc: <security@FreeBSD.ORG> Subject: Re: Shell history (Was: Re: post breakin log) Message-ID: <002001bdd242$f1e3baf0$f10408d1@bug.tasam.com>
next in thread | raw e-mail | index | archive | help
I don't know that much kernel stuff, but what if you hacked the kernel so
that whatever syscall opens/forks a new process will log the process name
and parameters? That and having watch running, telling it to restart on
reconnect to a tty and be watching each tty that way should give you lots of
data.
I think the best security measure would be a custom compiles who and or w
command that logs if anyone uses it more that once per 20 seconds. You can
always tell if someone is up to something by their use of the who command.
;-)
Joe Gleason
Tasam
>
> What if the user would be to switch shell or to install their own?
>
> I do not think one should depend on shell history to log all what
> user does. Best way to implement something like watch(8) to check
> the ttys you want or to automatically start when someone attaches
> to a tty. Again, this is also flawed.. what if someone simply
> continues to use root shell they got through a popper overflow?
> No tty, no entry in wtmp... have fun getting their command
> history. But wait... tcpdump. Using something like NFR to capture
> the session for you should work unless something like ssh is used.
>
> Ideas? Opinions? Flames? How would YOU monitor what your users are
> doing if you had to?
>
>-- Yan
>
>www.best.com/~jkb/ Unix users of the world unite:
>www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com
>"Turn up the lights, I don't want to go home in the dark."
>
>On Thu, 27 Aug 1998, Joe Gleason wrote:
>
>>You could always make a custom bash that sends each command to syslog as
it
>>is done. ;-)
>>
>>Then you could have your syslog log it to a remote system.
>>
>>Joe Gleason
>>Tasam
>>
>>
>>>At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote:
>>>>the log from history follows.
>>>
>>>Is there a fool-proof way to get user histories like this? I got one
once
>>>only because the cracker was lame enough to forget to delete his
>>>.bash_history file. Presuming root isn't compromised of course...
>>>
>>> Brian
>>>
>>>
>>>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
>>>"Common sense is the collection of prejudices | brian@apache.org
>>>acquired by the age of eighteen." - Einstein | brian@hyperreal.org
>>>
>>>To Unsubscribe: send mail to majordomo@FreeBSD.org
>>>with "unsubscribe freebsd-security" in the body of the message
>>>
>>
>>
>>To Unsubscribe: send mail to majordomo@FreeBSD.org
>>with "unsubscribe freebsd-security" in the body of the message
>>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002001bdd242$f1e3baf0$f10408d1>