From owner-freebsd-security  Wed Jan 24 14:25:11 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id OAA25448
          for security-outgoing; Wed, 24 Jan 1996 14:25:11 -0800 (PST)
Received: from intele.net (quervo.intele.net [204.118.149.20])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id OAA25442
          for <freebsd-security@FreeBSD.org>; Wed, 24 Jan 1996 14:25:01 -0800 (PST)
Received: (wes@localhost) by intele.net (8.6.12/8.6.5) id PAA12565; Wed, 24 Jan 1996 15:24:48 -0700
From: Barnacle Wes <wes@intele.net>
Message-Id: <199601242224.PAA12565@intele.net>
Subject: Re: Logging user activity
To: msmith@atrad.adelaide.edu.au (Michael Smith)
Date: Wed, 24 Jan 1996 15:24:47 -0700 (MST)
Cc: freebsd-security@FreeBSD.org
In-Reply-To: <199601240359.OAA25573@genesis.atrad.adelaide.edu.au> from "Michael Smith" at Jan 24, 96 02:29:58 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-security@FreeBSD.org
Precedence: bulk

William McVey stands accused of saying:
% Accounting (historically) has some serious problems as far as
% security auditing goes.  Typically the logfile contains the basename

Mike Smith observed by way of reply:
> Agreed.  These are good techniques for catching inexperienced hackers;
> good ones will spot them straight off.  Short of a direct tty log of
> everything you don't have much hope there.


On the other hand, since you do have the system sources, you can go
hack the syscalls for exec, open, etc. to log whatever you want.
Unless you think the user is dumping statically-linked executables
on your system, it would probably be enough to just create a new
libc.so that does syslog calls before each syscall.

Use the source, Luke!

-- 
   Wes Peters	| Yes I am a pirate, two hundred years too late
    Softweyr 	| The cannons don't thunder, there's nothing to plunder
   Consulting	| I'm an over forty victim of fate...
 wes@intele.net	|					Jimmy Buffet