Date: Thu, 27 Aug 1998 23:05:56 -0700 (PDT) From: "Jan B. Koum " <jkb@best.com> To: wkt@cs.adfa.oz.au Cc: security@FreeBSD.ORG Subject: Re: Shell history Message-ID: <Pine.BSF.4.02A.9808272252190.5148-100000@shell6.ba.best.com> In-Reply-To: <199808280519.PAA04932@henry.cs.adfa.oz.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 28 Aug 1998, Warren Toomey wrote:
>In article by Jan B. Koum:
>> What if the user would be to switch shell or to install their own?
>> I do not think one should depend on shell history to log all what
>> user does. How would YOU monitor what your users are
>> doing if you had to?
>
> accton(8), lastcomm(1)
>
> Warren
>
Once can just "cp" the executable.
% cp /sbin/ifconfig ./.a
% ./.a -a
vx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:60:08:15:bc:65
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
% lastcomm | grep ifconfig
% lastcomm | grep .a
lastcomm - jkb ttyp3 0.00 secs Thu Aug 27 22:56
.a - jkb ttyp3 0.00 secs Thu Aug 27 22:56
And if the binary is setuid... exec:
% exec su
Password:
nfr# lastcomm
hostname - root ttyp3 0.00 secs Thu Aug 27 22:52
lastcomm -S root ttyp2 0.00 secs Thu Aug 27 22:52
lastcomm -S root ttyp2 0.00 secs Thu Aug 27 22:52
vi - jkb ttyp3 0.03 secs Thu Aug 27 22:52
lastcomm -S root ttyp2 0.00 secs Thu Aug 27 22:51
I am sure there are probably many other ways around lastcomm. I
hope you are not relaying 100% on the output of lastcomm to tell you what
users are up to.
-- Yan
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.02A.9808272252190.5148-100000>