Date: Tue, 23 Jan 1996 13:25:39 -0600 From: William McVey <wam@fedex.com> To: Michael Smith <msmith@atrad.adelaide.edu.au> Cc: freebsd-security@freebsd.org Subject: Re: Logging user activity Message-ID: <199601232048.AA23145@gateway.fedex.com>
next in thread | raw e-mail | index | archive | help
Michael Smith wrote: >A couple of things you can do; if their shell is one of the csh flavours, >(most particularly tcsh) then you can set their history up (savehist >in particular) controlled by readonly shell variables. Set the >history length (first word in the 'savehist' variable) really high, say >around the 10,000 mark. > >Then you can set the append-only flag on their .history file, and they're >screwed. Well... until they 'exec /bin/sh' or some program they write that does a simple parse of entered commands and forks/execs without maintaining a history. >An alternative would be to use the process accounting stuff; look at >'ac' and 'accton' and 'lastcomm'. Accounting (historically) has some serious problems as far as security auditing goes. Typically the logfile contains the basename of the program executed. This means I build a few links (or rename the executables directly) of things like crack to be named 'vi' or 'cc' and you're none the wiser. In addition, on some systems (I don't know about FreeBSD), an accounting record doesn't get recorded until the process terminates. This means if a system wedges or crashes, there would be no accounting for the process. I've not used FreeBSD's accounting, the above is based off other vendors' implimentations, but it could represent some problems for security critical systems. -- William
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601232048.AA23145>