From owner-freebsd-security  Thu Aug 27 17:49:16 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA10426
          for freebsd-security-outgoing; Thu, 27 Aug 1998 17:49:16 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA10396
          for <security@FreeBSD.ORG>; Thu, 27 Aug 1998 17:49:05 -0700 (PDT)
          (envelope-from fullermd@futuresouth.com)
Received: (from fullermd@localhost)
	by shell.futuresouth.com (8.8.8/8.8.8) id TAA08252;
	Thu, 27 Aug 1998 19:47:59 -0500 (CDT)
Message-ID: <19980827194759.15155@futuresouth.com>
Date: Thu, 27 Aug 1998 19:47:59 -0500
From: "Matthew D. Fuller" <fullermd@futuresouth.com>
To: Brian Behlendorf <brian@hyperreal.org>
Cc: Wilson MacGyver <macgyver@cylatech.com>, security@FreeBSD.ORG
Subject: Re: post breakin log
References: <199808270538.BAA01341@armitage.cylatech.com> <19980827182323.6798.qmail@hyperreal.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.88
In-Reply-To: <19980827182323.6798.qmail@hyperreal.org>; from Brian Behlendorf on Thu, Aug 27, 1998 at 11:16:01AM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Aug 27, 1998 at 11:16:01AM -0700, Brian Behlendorf woke me up to tell me:
> At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote:
> >the log from history follows.
> 
> Is there a fool-proof way to get user histories like this?  I got one once
> only because the cracker was lame enough to forget to delete his
> .bash_history file.    Presuming root isn't compromised of course...

Command accounting's a pretty good way.
And if you raise the secure level and set the acct file append_only
(sappend flag?), it's pretty foolproof.
Very spammable if they catch up, but fairly foolproof.



*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
|       FreeBSD; the way computers were meant to be       |
* "The only reason I'm burning my candle at both ends, is *
| that I haven't figured out how to light the middle yet."|
*    fullermd@futuresouth.com      :-}  MAtthew Fuller    *
|      http://keystone.westminster.edu/~fullermd          |
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message