From owner-freebsd-security  Tue Jan 23 19:51:04 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id TAA15690
          for security-outgoing; Tue, 23 Jan 1996 19:51:04 -0800 (PST)
Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id TAA15681
          for <freebsd-security@freebsd.org>; Tue, 23 Jan 1996 19:50:55 -0800 (PST)
Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id OAA25573; Wed, 24 Jan 1996 14:29:59 +1030
From: Michael Smith <msmith@atrad.adelaide.edu.au>
Message-Id: <199601240359.OAA25573@genesis.atrad.adelaide.edu.au>
Subject: Re: Logging user activity
To: wam@fedex.com (William McVey)
Date: Wed, 24 Jan 1996 14:29:58 +1030 (CST)
Cc: msmith@atrad.adelaide.edu.au, freebsd-security@freebsd.org
In-Reply-To: <199601232048.AA23145@gateway.fedex.com> from "William McVey" at Jan 23, 96 01:25:39 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
Precedence: bulk

William McVey stands accused of saying:
> >Then you can set the append-only flag on their .history file, and they're
> >screwed.
> 
> Well... until they 'exec /bin/sh' or some program they write that does 
> a simple parse of entered commands and forks/execs without maintaining
> a history.

Yup.  Point.

> >An alternative would be to use the process accounting stuff; look at
> >'ac' and 'accton' and 'lastcomm'.
> 
> Accounting (historically) has some serious problems as far as
> security auditing goes.  Typically the logfile contains the basename

Agreed.  These are good techniques for catching inexperienced hackers;
good ones will spot them straight off.  Short of a direct tty log of
everything you don't have much hope there.

>  -- William

-- 
]] Mike Smith, Software Engineer        msmith@atrad.adelaide.edu.au    [[
]] Genesis Software                     genesis@atrad.adelaide.edu.au   [[
]] High-speed data acquisition and      (GSM mobile) 0411-222-496       [[
]] realtime instrument control          (ph/fax)  +61-8-267-3039        [[
]] "Who does BSD?" "We do Chucky, we do."                               [[