Date: Sun, 6 May 2001 04:38:05 -0500 From: Mike Meyer <mwm@mired.org> To: "Andrew C. Hornback" <hornback@wireco.net> Cc: questions@freebsd.org Subject: RE: OT: FreeBSD Security tip Message-ID: <15093.7037.669432.531311@guru.mired.org> In-Reply-To: <109415851@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Andrew C. Hornback <hornback@wireco.net> types: > > -----Original Message----- > > From: owner-freebsd-questions@FreeBSD.ORG > > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Vivek Khera > > Sent: Saturday, May 05, 2001 10:10 PM > > To: Charles Burns > > Cc: questions@freebsd.org > > Subject: Re: OT: FreeBSD Security tip > > > > >>>>> "CB" == Charles Burns <burnscharlesn@hotmail.com> writes: > > > > >> Why not just set their shells *not* to keep the command log in > > the first > > >> place? > > > > CB> I would miss my scrollback buffer. ;-) It saves me quite a bit of > > CB> time and I use is more frequently than probably any other > > > > there's a difference between having a shell history buffer and saving > > such a buffer to disk... in csh, the former is set with the history > > variable and the latter with the savehist variable. > > Is there any way to log all of the shell history from all of the users on > the machine to a log file? Not just one user in one place, but all of the > users? If you're willing to force them to use a specific shell, you may be able to do that. It might take some hackery on the shell, but that's just a SMOP. On the other hand, you could enable system accounting. That keeps a record of every process run on the system that terminates under normal conditions. That's much less obtrusive, and provides roughly the same information. > Seems like something like this would be handy if you're dealing with a > possible intruder in the system, have the file log the commands they're > using, as they're using them... That kind of thing takes a bit more work. The problem is the raw volume of information on a multiuser system. The people who've done this and then published papers about it typically either set it up as part of a system to which only system administrators had access, or set it up after detecting the intruder specifically for them, in hopes of catching them if they came back. I've used the accounting logs to check on miscreants after-the-fact. That's a simpler problem. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15093.7037.669432.531311>