Date: Thu, 27 Aug 1998 23:05:56 -0700 (PDT) From: "Jan B. Koum " <jkb@best.com> To: wkt@cs.adfa.oz.au Cc: security@FreeBSD.ORG Subject: Re: Shell history Message-ID: <Pine.BSF.4.02A.9808272252190.5148-100000@shell6.ba.best.com> In-Reply-To: <199808280519.PAA04932@henry.cs.adfa.oz.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 28 Aug 1998, Warren Toomey wrote: >In article by Jan B. Koum: >> What if the user would be to switch shell or to install their own? >> I do not think one should depend on shell history to log all what >> user does. How would YOU monitor what your users are >> doing if you had to? > > accton(8), lastcomm(1) > > Warren > Once can just "cp" the executable. % cp /sbin/ifconfig ./.a % ./.a -a vx0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255 ether 00:60:08:15:bc:65 lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 % lastcomm | grep ifconfig % lastcomm | grep .a lastcomm - jkb ttyp3 0.00 secs Thu Aug 27 22:56 .a - jkb ttyp3 0.00 secs Thu Aug 27 22:56 And if the binary is setuid... exec: % exec su Password: nfr# lastcomm hostname - root ttyp3 0.00 secs Thu Aug 27 22:52 lastcomm -S root ttyp2 0.00 secs Thu Aug 27 22:52 lastcomm -S root ttyp2 0.00 secs Thu Aug 27 22:52 vi - jkb ttyp3 0.03 secs Thu Aug 27 22:52 lastcomm -S root ttyp2 0.00 secs Thu Aug 27 22:51 I am sure there are probably many other ways around lastcomm. I hope you are not relaying 100% on the output of lastcomm to tell you what users are up to. -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.02A.9808272252190.5148-100000>