From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 01:02:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 759C416A4B3 for ; Tue, 16 Sep 2003 01:02:57 -0700 (PDT) Received: from amk-drives.bg (ns.amk-drives.bg [62.73.77.208]) by mx1.FreeBSD.org (Postfix) with SMTP id E2B7C43FAF for ; Tue, 16 Sep 2003 01:02:48 -0700 (PDT) (envelope-from niki@amk-drives.bg) Received: (qmail 26303 invoked by uid 1005); 16 Sep 2003 08:03:23 -0000 Received: from unknown (HELO kanchev) (192.168.0.13) by 192.168.0.100 with SMTP; 16 Sep 2003 08:03:20 -0000 Message-ID: <014001c37c39$956ec2f0$0d00a8c0@amkdrives.bg> From: "Nikolay Kanchev" To: Date: Tue, 16 Sep 2003 11:02:05 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Virus-Scanned: by AMaViS perl-11 Subject: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 08:02:57 -0000 Hi list Several people have physical access to my FreeBSD box and I have the feeling that somebody try to get access with boot -s options . Can I log activity after boot -s option (change user password, install software and etc.). I use boot -s and change user password, but after reboot i can't find this atcivity in log files. The BSD box is shutdown and run again many time at day. Best regards, Nikolay Kanchev E-mail: niki@amk-drives.bg