Date: Fri, 28 Aug 1998 01:15:46 -0400 From: "Joe Gleason" <clash@tasam.com> To: "Jan B. Koum " <jkb@best.com> Cc: <security@FreeBSD.ORG> Subject: Re: Shell history (Was: Re: post breakin log) Message-ID: <002001bdd242$f1e3baf0$f10408d1@bug.tasam.com>
next in thread | raw e-mail | index | archive | help
I don't know that much kernel stuff, but what if you hacked the kernel so that whatever syscall opens/forks a new process will log the process name and parameters? That and having watch running, telling it to restart on reconnect to a tty and be watching each tty that way should give you lots of data. I think the best security measure would be a custom compiles who and or w command that logs if anyone uses it more that once per 20 seconds. You can always tell if someone is up to something by their use of the who command. ;-) Joe Gleason Tasam > > What if the user would be to switch shell or to install their own? > > I do not think one should depend on shell history to log all what > user does. Best way to implement something like watch(8) to check > the ttys you want or to automatically start when someone attaches > to a tty. Again, this is also flawed.. what if someone simply > continues to use root shell they got through a popper overflow? > No tty, no entry in wtmp... have fun getting their command > history. But wait... tcpdump. Using something like NFR to capture > the session for you should work unless something like ssh is used. > > Ideas? Opinions? Flames? How would YOU monitor what your users are > doing if you had to? > >-- Yan > >www.best.com/~jkb/ Unix users of the world unite: >www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com >"Turn up the lights, I don't want to go home in the dark." > >On Thu, 27 Aug 1998, Joe Gleason wrote: > >>You could always make a custom bash that sends each command to syslog as it >>is done. ;-) >> >>Then you could have your syslog log it to a remote system. >> >>Joe Gleason >>Tasam >> >> >>>At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote: >>>>the log from history follows. >>> >>>Is there a fool-proof way to get user histories like this? I got one once >>>only because the cracker was lame enough to forget to delete his >>>.bash_history file. Presuming root isn't compromised of course... >>> >>> Brian >>> >>> >>>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- >>>"Common sense is the collection of prejudices | brian@apache.org >>>acquired by the age of eighteen." - Einstein | brian@hyperreal.org >>> >>>To Unsubscribe: send mail to majordomo@FreeBSD.org >>>with "unsubscribe freebsd-security" in the body of the message >>> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002001bdd242$f1e3baf0$f10408d1>