From owner-freebsd-questions@FreeBSD.ORG Wed Jul 25 12:27:28 2012 Return-Path: Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F41BB106564A for ; Wed, 25 Jul 2012 12:27:27 +0000 (UTC) (envelope-from peter@boosten.org) Received: from smtpq1.gn.mail.iss.as9143.net (smtpq1.gn.mail.iss.as9143.net [212.54.34.164]) by mx1.freebsd.org (Postfix) with ESMTP id A8E3E8FC0A for ; Wed, 25 Jul 2012 12:27:27 +0000 (UTC) Received: from [212.54.34.134] (helo=smtp3.gn.mail.iss.as9143.net) by smtpq1.gn.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1Su0K1-00070O-4L; Wed, 25 Jul 2012 14:04:09 +0200 Received: from 5419839c.cm-5-2c.dynamic.ziggo.nl ([84.25.131.156] helo=ra.egypt.nl) by smtp3.gn.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1Su0K0-0000VX-O7; Wed, 25 Jul 2012 14:04:09 +0200 Received: from [10.19.47.141] (host068-021.kpn-gprs.nl [62.133.68.21]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ra.egypt.nl (Postfix) with ESMTPSA id 540FF39847; Wed, 25 Jul 2012 14:04:08 +0200 (CEST) References: <500FDCE4.8060607@my.gd> In-Reply-To: <500FDCE4.8060607@my.gd> Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: X-Mailer: iPhone Mail (9B206) From: Peter Boosten Date: Wed, 25 Jul 2012 14:04:04 +0200 To: Damien Fleuriot X-Ziggo-spambar: ---- X-Ziggo-spamscore: -4.9 X-Ziggo-spamreport: ALL_TRUSTED=-1, BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, PROLO_TRUST_RDNS=-3, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001 X-Ziggo-Spam-Status: No X-Spam-Status: No X-Spam-Flag: No Cc: "freebsd-questions@FreeBSD.org" Subject: Re: Securituy - logging of user commands X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2012 12:27:28 -0000 Have you ever considered the audit function of FreeBSD? Peter Boosten On 25 jul. 2012, at 13:47, Damien Fleuriot wrote: > Hello list, >=20 >=20 >=20 > We're currently working towards the PCI DSS certification (Payment Card > Industry) for a project at work. >=20 >=20 > One of the prerequisites is that all user commands be logged. >=20 > We're currently using a very bad hack that takes the last command from a > user's history and sends it to a log server. >=20 > This of course is unreliable as a user may entirely disable their > history, or just use another shell to bypass the csh function or whatever.= >=20 >=20 >=20 > My colleagues installed Snoopy on debian and it seems to work wonders as > a module which is LD preloaded. >=20 >=20 > I notice it also exists on FreeBSD as /usr/ports/security/snoopy . >=20 >=20 > However I face several problems with it, mainly it doesn't seem to log > anything. >=20 >=20 >=20 > As per the README, I have added "/usr/local/lib/snoopy.so" to > /etc/ld.so.preload >=20 > I'm not even sure this file is used on BSD ? >=20 > As per the man page for ld.so there's no such file: > http://www.freebsd.org/cgi/man.cgi?query=3Dld.so >=20 > Neither libmap.conf nor ldconfig(8) seem to be the answer either. >=20 >=20 >=20 > I've googled for ld.so.conf and found the following 2 posts which seem > to indicate it isn't used either: > http://lists.freebsd.org/pipermail/freebsd-hackers/2003-June/001746.html > http://lists.freebsd.org/pipermail/freebsd-hackers/2003-June/001747.html >=20 > The posts mention -current but date back from 2003. >=20 >=20 >=20 > Lastly, I have also noticed that the port installs /usr/local/bin/detect > which I executed and would always reply "something's fishy". >=20 > By looking at the (very short) source I noticed the program merely loads > /lib/libc.so.6 , and it wouldn't find it on my system (8.3-STABLE with > /lib/libc.so.7). > Adjusting and recompiling lets the program correctly print "secure" but > it does nothing else. >=20 > I have checked that the output /usr/local/lib/snoopy.so module is linked > against libc.so.7 , and it is. >=20 >=20 >=20 > Has anyone ever got Snoopy to work on BSD ? > Might I need to install linux emulation ? >=20 > Is there any other port that might do the job and which I could use ? > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.or= g"