Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 25 Jul 2012 14:05:13 +0200
From:      Damien Fleuriot <ml@my.gd>
To:        Peter Boosten <peter@boosten.org>
Cc:        "freebsd-questions@FreeBSD.org" <freebsd-questions@FreeBSD.org>
Subject:   Re: Securituy - logging of user commands
Message-ID:  <500FE0F9.9020008@my.gd>
In-Reply-To: <FAD52607-4596-4F07-BC04-9C975EA7399C@boosten.org>
References:  <500FDCE4.8060607@my.gd> <FAD52607-4596-4F07-BC04-9C975EA7399C@boosten.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
No I haven't.

That's a good suggestion, I'll look into it and see if it fits the
purpose :)


On 7/25/12 2:04 PM, Peter Boosten wrote:
> Have you ever considered the audit function of FreeBSD?
> 
> 
> Peter Boosten
> 
> On 25 jul. 2012, at 13:47, Damien Fleuriot <ml@my.gd> wrote:
> 
>> Hello list,
>>
>>
>>
>> We're currently working towards the PCI DSS certification (Payment Card
>> Industry) for a project at work.
>>
>>
>> One of the prerequisites is that all user commands be logged.
>>
>> We're currently using a very bad hack that takes the last command from a
>> user's history and sends it to a log server.
>>
>> This of course is unreliable as a user may entirely disable their
>> history, or just use another shell to bypass the csh function or whatever.
>>
>>
>>
>> My colleagues installed Snoopy on debian and it seems to work wonders as
>> a module which is LD preloaded.
>>
>>
>> I notice it also exists on FreeBSD as /usr/ports/security/snoopy .
>>
>>
>> However I face several problems with it, mainly it doesn't seem to log
>> anything.
>>
>>
>>
>> As per the README, I have added "/usr/local/lib/snoopy.so" to
>> /etc/ld.so.preload
>>
>> I'm not even sure this file is used on BSD ?
>>
>> As per the man page for ld.so there's no such file:
>> http://www.freebsd.org/cgi/man.cgi?query=ld.so
>>
>> Neither libmap.conf nor ldconfig(8) seem to be the answer either.
>>
>>
>>
>> I've googled for ld.so.conf and found the following 2 posts which seem
>> to indicate it isn't used either:
>> http://lists.freebsd.org/pipermail/freebsd-hackers/2003-June/001746.html
>> http://lists.freebsd.org/pipermail/freebsd-hackers/2003-June/001747.html
>>
>> The posts mention -current but date back from 2003.
>>
>>
>>
>> Lastly, I have also noticed that the port installs /usr/local/bin/detect
>> which I executed and would always reply "something's fishy".
>>
>> By looking at the (very short) source I noticed the program merely loads
>> /lib/libc.so.6 , and it wouldn't find it on my system (8.3-STABLE with
>> /lib/libc.so.7).
>> Adjusting and recompiling lets the program correctly print "secure" but
>> it does nothing else.
>>
>> I have checked that the output /usr/local/lib/snoopy.so module is linked
>> against libc.so.7 , and it is.
>>
>>
>>
>> Has anyone ever got Snoopy to work on BSD ?
>> Might I need to install linux emulation ?
>>
>> Is there any other port that might do the job and which I could use ?
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?500FE0F9.9020008>