From owner-freebsd-security Thu Aug 27 20:27:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA08212 for freebsd-security-outgoing; Thu, 27 Aug 1998 20:27:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tasam.com (tasam.com [198.232.144.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA08158 for ; Thu, 27 Aug 1998 20:26:45 -0700 (PDT) (envelope-from clash@tasam.com) Received: from bug (bug.tasam.com [198.232.144.254]) by tasam.com (8.9.1/8.9.1) with SMTP id XAA07956; Thu, 27 Aug 1998 23:25:15 -0400 (EDT) Message-ID: <00bb01bdd233$76594990$f10408d1@bug.tasam.com> From: "Joe Gleason" To: "Wilson MacGyver" , , "Brian Behlendorf" Subject: Re: post breakin log Date: Thu, 27 Aug 1998 23:23:53 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2110.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You could always make a custom bash that sends each command to syslog as it is done. ;-) Then you could have your syslog log it to a remote system. Joe Gleason Tasam >At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote: >>the log from history follows. > >Is there a fool-proof way to get user histories like this? I got one once >only because the cracker was lame enough to forget to delete his >.bash_history file. Presuming root isn't compromised of course... > > Brian > > >--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- >"Common sense is the collection of prejudices | brian@apache.org >acquired by the age of eighteen." - Einstein | brian@hyperreal.org > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message