Date: Tue, 6 Jan 2004 18:31:31 -0800 (PST) From: Jason Stone <freebsd-security@dfmm.org> To: freebsd-security@freebsd.org Cc: Richard Bejtlich <richard_bejtlich@yahoo.com> Subject: Re: Logging user activities Message-ID: <20040106175055.X3696@walter> In-Reply-To: <20040106210430.28516.qmail@web60806.mail.yahoo.com> References: <20040106210430.28516.qmail@web60806.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > What do you recommend for keeping track of user > activities? For preserving bash histories I followed > these recommendations: > > http://www.defcon1.org/secure-command.html > > They include using 'chflags sappnd .bash_history', I think that this has come up on this list before - check the archives. anyway, my feeling on this is that relying on shell history tricks is entirely the wrong approach - anyone who's going to be abusing a system is going to turn off shell history first thing. Any silly tricks you do to try and prevent that can easily be worked around by using another shell, or by running commands through a mechanism other than the shell (:!command in vi, cat | xargs perl -ple 'system "$_"', etc). sniffing tty's is a step up, though it's still possible to log in through ssh/rsh and run commands without allocating a tty. be cautious about sniffing tty's, though - if users log into other systems from this system, or if they connect to services running locally that require authentication, you'll be collecting a tidy pile of very sensitive information all in one place, making for easy stealing. consider using crypto, streaming to another, more hardened host, securely destroying the logs on a regular basis, etc. and of course you should consider the legal and ethical issues implicated by keystroke logging.... finally, process accounting will universally collect info on every process that gets run, but it looks like it doesn't log arguments and that it caps command names to sixteen characters, which is kind of limiting. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/+2+DswXMWWtptckRArPiAKCQHnlWgWothPwydKju+4NAOwDqQwCfSJVD aVA1fq9IUiBhYFh0yAShcVQ= =pNg+ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040106175055.X3696>