Date: Wed, 24 Jan 1996 14:29:58 +1030 (CST) From: Michael Smith <msmith@atrad.adelaide.edu.au> To: wam@fedex.com (William McVey) Cc: msmith@atrad.adelaide.edu.au, freebsd-security@freebsd.org Subject: Re: Logging user activity Message-ID: <199601240359.OAA25573@genesis.atrad.adelaide.edu.au> In-Reply-To: <199601232048.AA23145@gateway.fedex.com> from "William McVey" at Jan 23, 96 01:25:39 pm
next in thread | previous in thread | raw e-mail | index | archive | help
William McVey stands accused of saying: > >Then you can set the append-only flag on their .history file, and they're > >screwed. > > Well... until they 'exec /bin/sh' or some program they write that does > a simple parse of entered commands and forks/execs without maintaining > a history. Yup. Point. > >An alternative would be to use the process accounting stuff; look at > >'ac' and 'accton' and 'lastcomm'. > > Accounting (historically) has some serious problems as far as > security auditing goes. Typically the logfile contains the basename Agreed. These are good techniques for catching inexperienced hackers; good ones will spot them straight off. Short of a direct tty log of everything you don't have much hope there. > -- William -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] "Who does BSD?" "We do Chucky, we do." [[
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601240359.OAA25573>