From owner-freebsd-security@FreeBSD.ORG Tue Jan 6 15:37:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74CFB16A4D0 for ; Tue, 6 Jan 2004 15:37:36 -0800 (PST) Received: from munk.nu (mail.munk.nu [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BA5143D5D for ; Tue, 6 Jan 2004 15:37:27 -0800 (PST) (envelope-from munk@munk.nu) Received: from munk by munk.nu with local (Exim 4.24; FreeBSD) id 1Ae0lJ-000LDn-9Y; Tue, 06 Jan 2004 23:37:25 +0000 Date: Tue, 6 Jan 2004 23:37:25 +0000 From: Jez Hancock To: Richard Bejtlich Message-ID: <20040106233725.GA78250@users.munk.nu> Mail-Followup-To: Richard Bejtlich , freebsd-security@freebsd.org References: <20040106210430.28516.qmail@web60806.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040106210430.28516.qmail@web60806.mail.yahoo.com> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Logging user activities X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jan 2004 23:37:36 -0000 On Tue, Jan 06, 2004 at 01:04:30PM -0800, Richard Bejtlich wrote: > What do you recommend for keeping track of user > activities? For preserving bash histories I followed > these recommendations: > > http://www.defcon1.org/secure-command.html This was a very interesting article, thanks for that. I made a note of it on my blog where you can also find a perl script I wrote a while ago to report on the history usage of all users logging in on a certain date - I run it daily via cron to report on shell usage for the current day. The article is here: http://jez.hancock-family.com/archives/37_Securing_Users_Shell_Command_History.html > My goal is to "watch the watchers," i.e. watch for > abuse of power by SOC people with the ability to view > traffic captured by sniffers. > > I plan to use sudo to limit and audit user activities > too. I may also try some of the patches to bash > listed at project.honeynet.org which send keystrokes > to a remote server. Hardware keystroke logging is > always a possibility. As someone already mentioned, the snp driver is used by the watch(8) utility to allow an admin to snoop on what users are doing on a tty. This even allows you as an admin to actually interact with another user's tty session (never fails to be amusing:P) and can be a very good tool to help when demonstrating something for a user in their shell. There's a good article on setting up watch(8) here: http://www.freebsddiary.org/watch.php There's also a port around that uses snp to log tty sessions. IIRC the app is in /usr/ports/security/termlog - when I had a brief look at it it didn't seem too practical for logging all user's tty sessions, but it might give you some ideas. Good luck. -- Jez Hancock - System Administrator / PHP Developer http://munk.nu/ http://jez.hancock-family.com/ - personal weblog http://ipfwstats.sf.net/ - ipfw peruser traffic logging