From owner-freebsd-security  Tue Jan 23 12:51:31 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id MAA15619
          for security-outgoing; Tue, 23 Jan 1996 12:51:31 -0800 (PST)
Received: from gateway.fedex.com (gateway.fedex.com [198.80.10.2])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id MAA15603
          for <freebsd-security@freebsd.org>; Tue, 23 Jan 1996 12:51:02 -0800 (PST)
Received: by gateway.fedex.com id AA23145
  (InterLock SMTP Gateway 3.0 for freebsd-security@freebsd.org);
  Tue, 23 Jan 1996 14:48:21 -0600
X-Disclaimer: THE COMMENTS CONTAINED IN THIS MESSAGE REFLECT THE VIEWS OF THE
                         WRITER AND ARE NOT NECESSARILY THE VIEWS OF
                                 FEDERAL EXPRESS CORPORATION.
Message-Id: <199601232048.AA23145@gateway.fedex.com>
Received: by gateway.fedex.com (Internal Mail Agent-2);
  Tue, 23 Jan 1996 14:48:21 -0600
Received: by gateway.fedex.com (Internal Mail Agent-1);
  Tue, 23 Jan 1996 14:48:21 -0600
X-Authentication-Warning: dpd08.dpd.fedex.com: Host localhost didn't use HELO protocol
To: Michael Smith <msmith@atrad.adelaide.edu.au>
Cc: freebsd-security@freebsd.org
Subject: Re: Logging user activity 
Date: Tue, 23 Jan 1996 13:25:39 -0600
From: William McVey <wam@fedex.com>
Sender: owner-security@freebsd.org
Precedence: bulk

Michael Smith wrote:
>A couple of things you can do; if their shell is one of the csh flavours,
>(most particularly tcsh) then you can set their history up (savehist 
>in particular) controlled by readonly shell variables.  Set the
>history length (first word in the 'savehist' variable) really high, say
>around the 10,000 mark.
>
>Then you can set the append-only flag on their .history file, and they're
>screwed.

Well... until they 'exec /bin/sh' or some program they write that does 
a simple parse of entered commands and forks/execs without maintaining
a history.

>An alternative would be to use the process accounting stuff; look at
>'ac' and 'accton' and 'lastcomm'.

Accounting (historically) has some serious problems as far as
security auditing goes.  Typically the logfile contains the basename
of the program executed.  This means I build a few links
(or rename the executables directly) of things like crack to be
named 'vi' or 'cc' and you're none the wiser.  In addition, on some
systems (I don't know about FreeBSD), an accounting record doesn't
get recorded until the process terminates.  This means if a system
wedges or crashes, there would be no accounting for the process.
I've not used FreeBSD's accounting, the above is based off other 
vendors' implimentations, but it could represent some problems for
security critical systems.

 -- William