From owner-freebsd-questions Sun May 6 2:38:10 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id 1785F37B422 for ; Sun, 6 May 2001 02:38:07 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 93188 invoked by uid 100); 6 May 2001 09:38:06 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15093.7037.669432.531311@guru.mired.org> Date: Sun, 6 May 2001 04:38:05 -0500 To: "Andrew C. Hornback" Cc: questions@freebsd.org Subject: RE: OT: FreeBSD Security tip In-Reply-To: <109415851@toto.iv> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Andrew C. Hornback types: > > -----Original Message----- > > From: owner-freebsd-questions@FreeBSD.ORG > > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Vivek Khera > > Sent: Saturday, May 05, 2001 10:10 PM > > To: Charles Burns > > Cc: questions@freebsd.org > > Subject: Re: OT: FreeBSD Security tip > > > > >>>>> "CB" == Charles Burns writes: > > > > >> Why not just set their shells *not* to keep the command log in > > the first > > >> place? > > > > CB> I would miss my scrollback buffer. ;-) It saves me quite a bit of > > CB> time and I use is more frequently than probably any other > > > > there's a difference between having a shell history buffer and saving > > such a buffer to disk... in csh, the former is set with the history > > variable and the latter with the savehist variable. > > Is there any way to log all of the shell history from all of the users on > the machine to a log file? Not just one user in one place, but all of the > users? If you're willing to force them to use a specific shell, you may be able to do that. It might take some hackery on the shell, but that's just a SMOP. On the other hand, you could enable system accounting. That keeps a record of every process run on the system that terminates under normal conditions. That's much less obtrusive, and provides roughly the same information. > Seems like something like this would be handy if you're dealing with a > possible intruder in the system, have the file log the commands they're > using, as they're using them... That kind of thing takes a bit more work. The problem is the raw volume of information on a multiuser system. The people who've done this and then published papers about it typically either set it up as part of a system to which only system administrators had access, or set it up after detecting the intruder specifically for them, in hopes of catching them if they came back. I've used the accounting logs to check on miscreants after-the-fact. That's a simpler problem. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message