From owner-freebsd-security Thu Aug 27 19:34:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA29758 for freebsd-security-outgoing; Thu, 27 Aug 1998 19:34:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c079.moon.jic.com [206.156.18.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA29662 for ; Thu, 27 Aug 1998 19:33:40 -0700 (PDT) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (gjp@localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.8.8/8.8.7) with ESMTP id WAA01656; Thu, 27 Aug 1998 22:32:08 -0400 (EDT) (envelope-from gjp@gjp.erols.com) X-Mailer: exmh version 2.0.1 12/23/97 To: Brian Behlendorf cc: Wilson MacGyver , security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: post breakin log In-reply-to: Your message of "Thu, 27 Aug 1998 11:16:01 PDT." <19980827182323.6798.qmail@hyperreal.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 27 Aug 1998 22:32:08 -0400 Message-ID: <1652.904271528@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brian Behlendorf wrote in message ID <19980827182323.6798.qmail@hyperreal.org>: > Is there a fool-proof way to get user histories like this? I got one once > only because the cracker was lame enough to forget to delete his > .bash_history file. Presuming root isn't compromised of course... Force the history files to be created with uappend flag set and run with a non zero security level. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message