Date: Wed, 7 Jan 2004 15:38:00 -0500 (EST) From: Robert Watson <rwatson@freebsd.org> To: Richard Bejtlich <richard_bejtlich@yahoo.com> Cc: freebsd-security@freebsd.org Subject: Re: Logging user activities Message-ID: <Pine.NEB.3.96L.1040107153538.6025F-100000@fledge.watson.org> In-Reply-To: <20040106210430.28516.qmail@web60806.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 6 Jan 2004, Richard Bejtlich wrote: > What do you recommend for keeping track of user activities? For > preserving bash histories I followed these recommendations: > > http://www.defcon1.org/secure-command.html > > They include using 'chflags sappnd .bash_history', enabling process > accounting, and the like. > > My goal is to "watch the watchers," i.e. watch for abuse of power by SOC > people with the ability to view traffic captured by sniffers. > > I plan to use sudo to limit and audit user activities too. I may also > try some of the patches to bash listed at project.honeynet.org which > send keystrokes to a remote server. Hardware keystroke logging is > always a possibility. > > For more, should I turn to TrustedBSD integration in a future 5.x > release? One of the "Coming soon" features for the next year will be Audit support for FreeBSD, based on some work we did on a related operating system platform. There's been some prior work on Audit on FreeBSD, but it's never been completed and merged. However, Audit requires some fairly extensive changes, so I wouldn't look for it before August of 2004, I think. I've been vaguely thinking about taking a few weeks off work to jumpstart it, but I haven't really found time. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Senior Research Scientist, McAfee Research
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1040107153538.6025F-100000>