From owner-freebsd-security Thu Aug 27 22:17:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA23916 for freebsd-security-outgoing; Thu, 27 Aug 1998 22:17:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tasam.com (tasam.com [198.232.144.22]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA23905 for ; Thu, 27 Aug 1998 22:17:27 -0700 (PDT) (envelope-from clash@tasam.com) Received: from bug (bug.tasam.com [198.232.144.254]) by tasam.com (8.9.1/8.9.1) with SMTP id BAA28628; Fri, 28 Aug 1998 01:16:31 -0400 (EDT) Message-ID: <002001bdd242$f1e3baf0$f10408d1@bug.tasam.com> From: "Joe Gleason" To: "Jan B. Koum " Cc: Subject: Re: Shell history (Was: Re: post breakin log) Date: Fri, 28 Aug 1998 01:15:46 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.2110.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't know that much kernel stuff, but what if you hacked the kernel so that whatever syscall opens/forks a new process will log the process name and parameters? That and having watch running, telling it to restart on reconnect to a tty and be watching each tty that way should give you lots of data. I think the best security measure would be a custom compiles who and or w command that logs if anyone uses it more that once per 20 seconds. You can always tell if someone is up to something by their use of the who command. ;-) Joe Gleason Tasam > > What if the user would be to switch shell or to install their own? > > I do not think one should depend on shell history to log all what > user does. Best way to implement something like watch(8) to check > the ttys you want or to automatically start when someone attaches > to a tty. Again, this is also flawed.. what if someone simply > continues to use root shell they got through a popper overflow? > No tty, no entry in wtmp... have fun getting their command > history. But wait... tcpdump. Using something like NFR to capture > the session for you should work unless something like ssh is used. > > Ideas? Opinions? Flames? How would YOU monitor what your users are > doing if you had to? > >-- Yan > >www.best.com/~jkb/ Unix users of the world unite: >www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com >"Turn up the lights, I don't want to go home in the dark." > >On Thu, 27 Aug 1998, Joe Gleason wrote: > >>You could always make a custom bash that sends each command to syslog as it >>is done. ;-) >> >>Then you could have your syslog log it to a remote system. >> >>Joe Gleason >>Tasam >> >> >>>At 01:38 AM 8/27/98 -0400, Wilson MacGyver wrote: >>>>the log from history follows. >>> >>>Is there a fool-proof way to get user histories like this? I got one once >>>only because the cracker was lame enough to forget to delete his >>>.bash_history file. Presuming root isn't compromised of course... >>> >>> Brian >>> >>> >>>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- >>>"Common sense is the collection of prejudices | brian@apache.org >>>acquired by the age of eighteen." - Einstein | brian@hyperreal.org >>> >>>To Unsubscribe: send mail to majordomo@FreeBSD.org >>>with "unsubscribe freebsd-security" in the body of the message >>> >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message