From owner-freebsd-security  Thu Jul  1 12:12:48 1999
Delivered-To: freebsd-security@freebsd.org
Received: from phoenix.unacom.com (phoenix.unacom.com [206.113.48.50])
	by hub.freebsd.org (Postfix) with SMTP id 1B82E15514
	for <freebsd-security@FreeBSD.ORG>; Thu,  1 Jul 1999 12:12:28 -0700 (PDT)
	(envelope-from ethereal@phoenix.unacom.com)
Received: (qmail 39622 invoked by uid 1001); 1 Jul 1999 19:04:11 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 1 Jul 1999 19:04:11 -0000
Date: Thu, 1 Jul 1999 15:04:11 -0400 (EDT)
From: Master Of Spirits <ethereal@phoenix.unacom.com>
To: freebsd-security@FreeBSD.ORG
Subject: Tracking Root Users
Message-ID: <Pine.BSF.4.10.9907011457520.38657-100000@phoenix.unacom.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I have found that the simplest way (which I use myself) it a few
modifictions to the shells themself, and to syslog.conf. For the purposes
of tracking commands used by uid 0, the shells script waits for su to
send a confirmed su signal and then logs to a log file and continues to
log all commands sent through the shell untill su sends a termination
signal. This bypasses syslog entirely save for the notification of a
failed or successful SU attempts. Minor adustments could also pipe this
feedback to a printer or external device, thus removing the possibility of
hackers editing the logs themselves.

-= UNACOM System Admin =-



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message